60 popular mobile apps available on Google Play Store were infiltrated by a recently identified Android malware called 'Goldoson', which has been downloaded 100 million times.



Researchers from McAfee discovered that this malware can obtain sensitive data from users such as installed apps, WiFi details, GPS locations, and Bluetooth-connected devices. Goldoson conducts ad fraud by clicking on ads in the background without the user's consent or knowledge.

Goldoson library registers a device and retrieves remote configurations while running. The name of the library and remote server domain vary for every application, and both are hidden using obfuscation techniques. The remote configurations include settings for each functionality and how often the library runs its components.

Based on these parameters, the library extracts device information periodically and sends it to the remote servers. The library loads web pages without user awareness, which generates hidden traffic and can be exploited to display ads for financial gain.

The information collected by the library consists of sensitive data like installed app lists, location history, nearby Bluetooth and Wi-Fi device MAC addresses, etc. Google Play considers the list of installed apps as personal information, and therefore demands a specific permission declaration to access it. Even though Android 11 provides greater protection to users against apps that gather information on all installed apps, approximately 10% of the apps containing Goldoson have the "QUERY_ALL_PACKAGES" permission, allowing them to access app data.

To comply with Google Play's policies, app developers have been informed by Google about their violations. Some apps have been removed from the store, while others have been updated.
Users must upgrade their apps to the latest version to eliminate the threat from their devices. Earlier this year, Google's Threat Analysis Group tackled a group called 'DRAGONBRIDGE' or 'Spamouflage Dragon' by closing multiple associated accounts spreading pro-Chinese disinformation on various platforms.

To reduce the risk of cyber-attacks on mobile devices, it is advisable to keep the operating system and apps up-to-date. This ensures that any known security vulnerabilities are fixed. Download apps only from trusted sources like Google Play or Apple App Store, and avoid downloading apps from unverified sources or third-party app stores.

Before downloading an app, read its permissions and user reviews to understand what data it requires access to and potential concerns. Consider using a mobile security solution that can detect and remove malicious apps while offering additional features like app scanning and protection against phishing attacks.

Avoid connecting to unsecured Wi-Fi networks as they can be used by attackers to intercept your data. Be cautious when clicking on app links, especially from unknown sources; always verify their legitimacy before opening them. By following these best practices, users can significantly reduce their risk of mobile app-related security threats.

The Goldoson malware is a type of Android malware that specifically targets Google Play Store's popular apps. It has the ability to infiltrate these apps and carry out various malicious activities. The malware was discovered by researchers from McAfee, who found that it had been downloaded over 100 million times.

Goldoson is primarily designed for ad fraud purposes. It conducts ad clicking in the background without the user's consent or knowledge. This generates hidden traffic and can lead to financial gain for the attackers by displaying ads. In addition to ad fraud, the malware also collects sensitive user data, including installed app lists, location history, nearby Bluetooth and Wi-Fi device MAC addresses, and more.

Google Play Store has policies and security measures in place to prevent the distribution of malicious apps. However, Goldoson managed to bypass these measures, highlighting the challenges faced by Google in ensuring the security of its app store. To address the issue, Google takes action when such violations are identified. In this case, Google informed app developers about their violations and has taken steps to remove or update the affected apps.

Google places great importance on user security and strives to maintain the integrity of its app store. It continues to enhance its security measures to protect users from malicious apps. In recent years, Google has increased its efforts to detect and remove such apps from the Play Store, as well as to educate developers about best practices for app security.

For users, it is crucial to stay vigilant and take precautions to protect themselves from malware like Goldoson. Upgrading apps to their latest versions, as recommended by Google, helps to eliminate known vulnerabilities and ensure that security patches are applied. Users should also exercise caution when downloading apps and only obtain them from trusted sources like the Google Play Store or Apple App Store. Reading app permissions, user reviews, and considering the use of mobile security solutions can provide additional layers of protection.

Overall, while Google works diligently to maintain the security of its app store, it is important for both users and developers to be proactive in safeguarding against malware threats like Goldoson. By staying informed about potential risks and adopting security best practices, users can better protect themselves while enjoying the benefits of mobile apps.