60 Google Play apps infiltrated by malware affecting 100 million devices

Malware infiltrates Google Play via legitimate apps

About 100 million users have installed apps containing malware

A new Android malware known as “Goldoson” has infiltrated Google Play via 60 legitimate apps with a total of 100 million downloads. The malware can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user's GPS location, according to McAfee's research team,^[1] which discovered Goldoson. It can also commit ad fraud^[2] by clicking ads in the background without the user's knowledge.

This is not the first time malware has found its way into the Google Play store. Despite Google's numerous measures to prevent malware spread, cybercriminals continue to find ways around them. This incident emphasizes the importance of increased vigilance among app developers and users in order to prevent such attacks from occurring.

When incorporating third-party libraries into their apps, developers must exercise caution. This incident demonstrates how malware can easily infiltrate legitimate apps if developers do not exercise caution when incorporating third-party code. Users should also exercise caution when downloading apps, particularly those from unknown developers or those requiring extensive permissions.

How Goldoson works

When a user launches a Goldoson-containing app, the library registers the device and obtains its configuration from an obfuscated remote server. The configuration specifies which data-stealing and ad-clicking functions Goldoson should perform on the infected device and how frequently.

The data collection function is typically set to activate every two days, sending a list of installed apps, geographical location history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.

Although Android 11 and later are better protected against arbitrary data collection, McAfee discovered that Goldoson had enough permissions to gather sensitive data in 10% of the apps even in recent versions of the OS. Ad revenue is generated by loading HTML code and injecting it into a customized, hidden WebView, and then using that to perform multiple URL visits.

Because the victim sees no indication of this activity on their device, it is particularly insidious. The malware works in the background, collecting data and clicking on advertisements without the user's knowledge.

Remediation and prevention

Users who downloaded an impacted app from Google Play can mitigate the risk by installing the most recent available update.^[3] However, Goldoson can also be found in third-party Android app stores, and the chances of them still containing the malicious library are high.

Device heating up, battery draining quickly, and unusually high internet data usage even when the device is not in use are all signs of adware and malware infection. Users should be on the lookout for these symptoms and keep an eye on their devices.

This incident highlights the value of increased security measures for app developers, Google Play, and Android users. Third-party libraries should be used with greater caution by developers, and Google Play should implement stricter policies to prevent malware from infiltrating its store.

In turn, Android users should exercise caution when downloading apps, particularly those from unknown developers or those requiring extensive permissions. We can prevent similar incidents in the future by working together.