A malicious malware named Goldoson has attacked 60 legitimate apps hosted on the Google Play store. The apps had over 100 million downloads combined, and every user could be at risk.
The malware focuses on accomplishing two different tasks. First, it commits ad fraud by repeatedly clicking ads in the background without the user’s consent or knowledge. Second, it collects user data on installed apps and Wi-Fi and Bluetooth-connected devices, and threat actors can even track someone’s location using the user’s GPS location. The information they can spy on scales in severity based on the access level they were able to obtain from each independent app.
“Technically, the library loads HTML code and injects it into a customized and hidden WebView, and it produces hidden traffic by visiting the URLs recursively,” McAfee’s Mobile Research Team said in a release. The researchers added that the malware spreads and operates without users being able to detect it.
After McAfee made Google aware of the Goldoson threat, Google took action to inform each of the companies and apps affected, giving them a timeframe to bring their apps under compliance. Unfortunately, due to the malware, some apps have been removed from the Play Store, potentially indefinitely (depending on the app).
The largest apps that were hit include L.POINT with L.PAY and Swipe Brick Breaker, both with 10 million users, and GOM Player, with five million users. Lesser known apps were also victims of Goldoson too, such as InfiniteSolitaire, which only had a thousand downloads at the time.
While the majority of the downloads and targetted apps were in South Korea, anyone using the list of infected apps that were discovered by researchers at McAfee should take action, such as changing their passwords, deleting the apps until they’ve been properly updated and secured, and scanning their device with a quality antivirus software to make sure it isn’t infesting your apps.