Goldoson is an Android malware that invades 60 applications. These applications had 100M downloads collectively. This malware is a third-party library component that all 60 applications were using. However, the developers were not known about the malware.
Here is the list of a few infected applications:
- L.POINT with L.PAY – 10 million downloads
- Pikicast – 5 million downloads
- Swipe Brick Breaker – 10 million downloads
- Money Manager Expense & Budget – 10 million downloads
- LIVE Score, Real-Time Score – 5 million downloads
- GOM Player – 5 million downloads
- Compass 9: Smart Compass – 1 million downloads
- and more
McFee’s research team discovered this malware, “Goldoson.” According to them, the malware collected data from different resources, including the user’s GPS location, WiFi-connected devices, Bluetooth devices, and installed apps.
Moreover, it could do ad fraud if a user clicks on any ad without taking consent from the user.
Android Malware Steals Data from Devices
If a user downloads and installs any application containing Goldoson, its library automatically logs the device and captures its configuration using a remote private server.
The configuration includes all the parameters Android malware can run on the device for ad clicking and data stealing.
Every two days, it collects data by activating the function of data collection. Then, it sends the C2 server the list of geographical locations, installed apps, and MAC addresses of the devices connected via WiFi, Bluetooth, etc.
The data amount collected by the malware depended on the permissions provided by the user. For example, Devices with Android 11 or above provide high-level protection for data. So, they might be less affected compared to the lower versions.
However, McAfee also found that in recent OS versions, users gave malware enough permission to collect sensitive data of their devices in 10% of apps. Along with that, The function of ad-clicking is activated using a customized HTML code, various URL visits, WebView, and generating ad revenues.
Goldoson libraries are removed from the Google Play app. But, MaAfee warned the users to always check twice before allowing permissions to any application because the risk is still there.