Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads
18.4.23  Android  The Hacker News
A new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads.

An additional eight million installations have been tracked through ONE store, a leading third-party app storefront in South Korea.

The rogue component is part of a third-party software library used by the apps in question and is capable of gathering information about installed apps, Wi-Fi and Bluetooth-connected devices, and GPS locations.

"Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user's consent," McAfee security researcher SangRyol Ryu said in a report published last week.

What's more, it includes the ability to stealthily load web pages, a feature that could be abused to load ads for financial profit. It achieves this by loading HTML code in a hidden WebView and driving traffic to the URLs.

Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library.

Some of the prominent apps include -

L.POINT with L.PAY
Swipe Brick Breaker (removed)
Money Manager Expense & Budget
TMAP - 대리,주차,전기차 충전,킥보드를 티맵에서!
롯데시네마
지니뮤직 - genie
컬쳐랜드[컬쳐캐쉬]
GOM Player
메가박스 (removed), and
LIVE Score, Real-Time Score
The findings highlight the need for app developers to be transparent about the dependencies used in their software, not to mention take adequate steps to safeguard users' information against such abuse.

"Attackers are becoming more sophisticated in their attempts to infect otherwise legitimate applications across platforms," Kern Smith, vice president of sales engineering for the Americas at Zimperium, said.

"The use of third-party SDKs and code, and their potential to introduce malicious code into otherwise legitimate applications is only continuing to grow as attackers start to target the software supply chain to gain the largest footprint possible."
The development comes as Cyble took the wraps off a new Android banking trojan dubbed Chameleon that has been active since January 2023 and is targeting users in Australia and Poland.

The trojan is no different from other banking malware spotted in the wild owing to its abuse of Android's accessibility services to harvest credentials and cookies, log keystrokes, prevent its uninstallation, and perform other nefarious activities.

It's also designed to display rogue overlays on top of a specific list of apps, intercept SMS messages, and even comprises an unused functionality that allows it to download and execute another payload.

Chameleon, true to its name, has a penchant for evasion by incorporating anti-emulation checks to detect if the device is rooted or it's being executed in a debugging environment, and if so, terminate itself.

To mitigate such threats, users are recommended to only download apps from trusted sources, scrutinize app permissions, use strong passwords, enable multi-factor authentication, and exercise caution when receiving SMS or emails from unknown senders.