A new Android malware had reportedly infiltrated Google Play. It is known as ‘Goldoson’ and has been found in 60 authentic apps with a combined total of around 100 million downloads. As per the report by BleepingComputer, the malicious malware element is incorporated into a third-party library. The developers have unintentionally integrated the same into all the apps.
Suggested read: Uninstall these Malware-Laden Apps from Your Device Immediately
McAfee’s research team has discovered this malware. They said it can collect an assortment of sensitive data including information on the WiFi, installed apps, Bluetooth-connected devices, and GPS locations of the users. It can also perform ad fraud by clicking ads in the background without the users’ consent or knowledge.
As soon as somebody runs an app that contains ‘Goldoson’ the library registers the device. Then it obtains the device’s configuration from an uncleared remote server. The setup specifies the frequency, ad-clicking, and data-stealing functions the malware should perform on the infected device.
As per the report, the data collection mechanism is generally set to activate every two days. It transmits a list of installed apps, MAC addresses of all the devices connected via WiFi and Bluetooth, geographical position history, etc. to the C2 server. The amount of data collection is ascertained by the permission granted during the installation of the app and based on the Android version as well.
Protection and loopholes
Android 11 and later are protected against data collection arbitrarily but researchers found that ‘Goldoson’ has enough rights to obtain sensitive data from at least 10% of the apps even in the newer Android versions.
Ad income is generated by loading HTML code and infusing it into a customized and hidden WebView. After that, it is used to execute several URL visits. The action is not indicated in the infected device in any way.
Previous threat and its mitigation by Google
Google’s Threat Analysis Group terminated numerous accounts associated with the ‘Spamouflage Dragon’ or ‘Dragonbridge’ group in January 2023. This has helped to disseminate pro-Chinese disinformation on several platforms.
Google says that ‘Dragonbridge’ acquires new Google accounts from bulk account sellers. It has also used previously used accounts of financially motivated users by repurposing them to post disinformation blogs and videos.