McAfee researchers have released a list of apps infected with Goldson malware, with over 60 such apps found on the Google Play Store. These apps threaten sensitive information such as contacts, call logs, and location data, which can be used to send spam messages and make unauthorized purchases. McAfee has reported this to Google, and the apps have been removed from the Play Store for further downloading and installation.
However, these apps have already been downloaded on over 100 million smartphones. Users are advised to uninstall these apps if downloaded on their Android smartphones. Most of these apps target the South Korean Google Play Store, and this serves as a reminder to all developers to be careful about the third-party libraries they use in their apps, as some may contain malware.
Uninstall these infected apps from your Android device.
Developers should avoid using malware-infected third-party libraries. Goldson malware is part of a third-party library that developers may have used unknowingly. MMRT has said that this was not made by developers by choice, but it is unclear whether they knowingly or unknowingly injected Goldson into their apps.
To prevent such incidents, developers should:
- Use third-party libraries from trusted sources.
- Check the code before implementing it.
- Keep third-party libraries up-to-date.
- Read reviews of those libraries before using them.
Some apps have already started receiving security patches, and developers have removed the malware from some apps, but not all of them. However, Goldoson-infected apps still exist in third-party app stores and could harbor malicious libraries. The risk of this happening is high.
What Data Does Goldoson Malware Collect?
- Device information includes the device model, serial number, and IMEI number. However, the amount of data Goldonson Malware collects depends on the permissions granted by users. Devices running on Android 11 or higher have better protection against this random data collection.
- Location data
- MAC address of Bluetooth and Wi-Fi nearby
- Contact information
- Call logs
- SMS messages
- Browsing history
- Credit card information
- Banking information
Any other sensitive data stored on the device can be used by cybercriminals to extract Basic Service Set Identifiers (BSSIDs) and Received Signal Strength Indicators (RSSIs). Your BSSIDs can connect to your Wi-Fi network and triangulate your location. Goldson malware can determine your location more accurately than GPS, especially indoors. They can also try to hack into your network and steal more personal information.
Goldson Malware
This malware first collects all the installed apps and synced devices via your device’s Bluetooth, GPS, or Wi-Fi. To stay informed about you, it re-collects data every two days. It can also perform ad fraud by clicking on ads in the background without users’ consent. Android 11 or higher devices are more insulated from this threat, but this needs to be confirmed because less than 10% of the apps with Goldoson have ‘QUERY_ALL_PACKAGES,’ allowing access to app information and sensitive data.
Once users download and install the launch that contains Goldoson, the library registers the device and receives a configuration from the remote server whose domain is obfuscated. These updated configurations contain the parameters for data-stealing and ad-clicking functions that Goldson should run on the infected device and how often.
Goldson Malware can also perform other malicious activities, such as installing other malware on the device, stealing files from the device, disrupting the device’s operations, and taking control of the device. As mentioned above, it is set to be active every two days, sending data to the C2 service, a command and control server used by attackers to control the infected device. They can send commands to the infected device, receive data from the infected device, and update the malware on the infected device.
These apps have been downloaded millions of times from the Google Play Store. Check out these lists:
| Application Name | GooglePlay Downloads | GooglePlay Downloads | GPStatus |
|---|---|---|---|
| com.lottemembers.android | L.POINT with L.PAY | 10M+ | Updated* |
| com.Monthly23.SwipeBrickBreaker | Swipe Brick Breaker | 10M+ | Removed** |
| com.realbyteapps.moneymanagerfree | Money Manager Expense & Budget | 10M+ | Updated* |
| com.skt.tmap.ku | TMAP – 대리,주차,전기차 충전,킥보 … | 10M+ | Updated* |
| kr.co.lottecinema.lcm | 롯데시네마 | 10M+ | Updated* |
| com.ktmusic.geniemusic | 지니뮤직 – genie | 10M+ | Updated* |
| com.cultureland.ver2 | 컬쳐랜드[컬쳐캐쉬] | 5M+ | Updated* |
| com.gretech.gomplayerko | GOM Player | 5M+ | Updated* |
| com.megabox.mop | 메가박스(Megabox) | 5M+ | Removed** |
| kr.co.psynet | LIVE Score, Real-Time Score | 5M+ | Updated* |
| sixclk.newpiki | Pikicast | 5M+ | Removed** |
| com.appsnine.compass | Compass 9: Smart Compass | 1M+ | Removed** |
| com.gomtv.gomaudio | GOM Audio – Music, Sync lyrics | 1M+ | Updated* |
| com.gretech.gomtv | 곰TV – All About Video | 1M+ | Updated* |
| com.guninnuri.guninday | 전역일 계산기 디데이 곰신톡–군인 … | 1M+ | Updated* |
| com.itemmania.imiapp | 아이템매니아 – 게임 아이템 거래 … | 1M+ | Removed** |
| com.lotteworld.android.lottemagicpass | LOTTE WORLD Magicpass | 1M+ | Updated* |
| com.Monthly23.BounceBrickBreaker | Bounce Brick Breaker | 1M+ | Removed** |
| com.Monthly23.InfiniteSlice | Infinite Slice | 1M+ | Removed** |
| com.pump.noraebang | 나홀로 노래방–쉽게 찾아 이용하는 … | 1M+ | Updated* |
| com.somcloud.somnote | SomNote – Beautiful note app | 1M+ | Removed** |
| com.whitecrow.metroid | Korea Subway Info : Metroid | 1M+ | Updated* |
| kr.co.GoodTVBible | GOODTV다번역성경찬송 | 1M+ | Removed** |
| kr.co.happymobile.happyscreen | 해피스크린 – 해피포인트를 모으 … | 1M+ | Updated* |
| kr.co.rinasoft.howuse | UBhind: Mobile Tracker Manager | 1M+ | Removed** |
| mafu.driving.free | 스피드 운전면허 필기시험 … | 1M+ | Removed** |
| com.wtwoo.girlsinger.worldcup | 이상형 월드컵 | 500K+ | Updated* |
| kr.ac.fspmobile.cu | CU편의점택배 | 500K+ | Removed** |
| com.appsnine.audiorecorder | 스마트 녹음기 : 음성 녹음기 | 100K+ | Removed** |
| com.camera.catmera | 캣메라 [순정 무음카메라] | 100K+ | Removed** |
| com.cultureland.plus | 컬쳐플러스:컬쳐랜드 혜택 더하기 … | 100K+ | Updated* |
| com.dkworks.simple_air | 창문닫아요(미세/초미세먼지/WHO … | 100K+ | Removed** |
| com.lotteworld.ticket.seoulsky | 롯데월드타워 서울스카이 | 100K+ | Updated* |
| com.Monthly23.LevelUpSnakeBall | Snake Ball Lover | 100K+ | Removed** |
| com.nmp.playgeto | 게토(geto) – PC방 게이머 필수 앱 | 100K+ | Removed** |
| com.note.app.memorymemo | 기억메모 – 심플해서 더 좋은 메모장 | 100K+ | Removed** |
| com.player.pb.stream | 풀빵 : 광고 없는 유튜브 영상 … | 100K+ | Removed** |
| com.realbyteapps.moneya | Money Manager (Remove Ads) | 100K+ | Updated* |
| com.wishpoke.fanciticon | Inssaticon – Cute Emoticons, K | 100K+ | Removed** |
| marifish.elder815.ecloud | 클라우드런처 | 100K+ | Updated* |
| com.dtryx.scinema | 작은영화관 | 50K+ | Updated* |
| com.kcld.ticketoffice | 매표소–뮤지컬문화공연 예매& … | 50K+ | Updated* |
| com.lotteworld.ticket.aquarium | 롯데월드 아쿠아리움 | 50K+ | Updated* |
| com.lotteworld.ticket.waterpark | 롯데 워터파크 | 50K+ | Updated* |
| com.skt.skaf.l001mtm091 | T map for KT, LGU+ | 50K+ | Removed** |
| org.howcompany.randomnumber | 숫자 뽑기 | 50K+ | Updated* |
| com.aog.loader | 로더(Loader) – 효과음 다운로드 앱 | 10K+ | Removed** |
| com.gomtv.gomaudio.pro | GOM Audio Plus – Music, Sync l | 10K+ | Updated* |
| com.NineGames.SwipeBrickBreaker2 | Swipe Brick Breaker 2 | 10K+ | Removed** |
| com.notice.safehome | 안심해 – 안심귀가 프로젝트 | 10K+ | Removed** |
| kr.thepay.chuncheon | 불러봄내 – 춘천시민을 위한 공공 … | 10K+ | Removed** |
| com.curation.fantaholic | 판타홀릭 – 아이돌 SNS 앱 | 5K+ | Removed** |
| com.dtryx.cinecube | 씨네큐브 | 5K+ | Updated* |
| com.p2e.tia.tnt | TNT | 5K+ | Removed** |
| com.health.bestcare | 베스트케어–위험한 전자기장, … | 1K+ | Removed** |
| com.ninegames.solitaire | InfinitySolitaire | 1K+ | Removed** |
| com.notice.newsafe | 안심해 : 안심지도 | 1K+ | Removed** |
| com.notii.cashnote | 노티아이 for 소상공인 | 1K+ | Removed** |
| com.tdi.dataone | TDI News – 최초 데이터 뉴스 앱 … | 1K+ | Removed** |
| com.ting.eyesting | 눈팅 – 여자들의 커뮤니티 | 500+ | Removed** |
| com.ting.tingsearch | 팅서치 TingSearch | 50+ | Removed** |
| com.celeb.tube.krieshachu | 츄스틱 : 크리샤츄 Fantastic | 50+ | Removed** |
| com.player.yeonhagoogokka | 연하구곡 | 10+ | Removed** |
Even after uninstalling these apps, you can check the device for other signs of malware infection, like the device heating up, battery drain, and unusually high internet data usage, even when you are not using your device. To check for and remove malicious apps from your device, navigate to Device Settings > Security or App Protection. From there, look for apps you don’t recognize or need to remember to install. If you find any suspicious apps, then uninstall them instantly. You can also use a security app to scan your device for malware.
Stay protected. Use a strong password for your Wi-Fi network, keep your network up-to-date, use a firewall to protect your device from unauthorized access, be aware of what apps you install, and most importantly, use a strong password and 2FA authentication for your online accounts.
You can stay protected by updating your device with the latest security patch. These updates often include security patches that can help protect your device from malware. Install apps from trusted sources like the Google Play Store. Be aware when granting app permissions. Use a security app to scan for malware. If your device gets infected with malware, contact your manufacturer or a security expert.