back to top

Malware Alert: 60 Google apps with over 100 million downloads have been infected. Delete any of these apps you downloaded from the Play Store.

Follow Us
placeholder text

McAfee researchers have released a list of apps infected with Goldson malware, with over 60 such apps found on the Google Play Store. These apps threaten sensitive information such as contacts, call logs, and location data, which can be used to send spam messages and make unauthorized purchases. McAfee has reported this to Google, and the apps have been removed from the Play Store for further downloading and installation.

However, these apps have already been downloaded on over 100 million smartphones. Users are advised to uninstall these apps if downloaded on their Android smartphones. Most of these apps target the South Korean Google Play Store, and this serves as a reminder to all developers to be careful about the third-party libraries they use in their apps, as some may contain malware.

Uninstall these infected apps from your Android device.

Developers should avoid using malware-infected third-party libraries. Goldson malware is part of a third-party library that developers may have used unknowingly. MMRT has said that this was not made by developers by choice, but it is unclear whether they knowingly or unknowingly injected Goldson into their apps.

To prevent such incidents, developers should:

  • Use third-party libraries from trusted sources.
  • Check the code before implementing it.
  • Keep third-party libraries up-to-date.
  • Read reviews of those libraries before using them.

Some apps have already started receiving security patches, and developers have removed the malware from some apps, but not all of them. However, Goldoson-infected apps still exist in third-party app stores and could harbor malicious libraries. The risk of this happening is high.

What Data Does Goldoson Malware Collect?

  • Device information includes the device model, serial number, and IMEI number. However, the amount of data Goldonson Malware collects depends on the permissions granted by users. Devices running on Android 11 or higher have better protection against this random data collection.
  • Location data
  • MAC address of Bluetooth and Wi-Fi nearby
  • Contact information
  • Call logs
  • SMS messages
  • Browsing history
  • Credit card information
  • Banking information

Any other sensitive data stored on the device can be used by cybercriminals to extract Basic Service Set Identifiers (BSSIDs) and Received Signal Strength Indicators (RSSIs). Your BSSIDs can connect to your Wi-Fi network and triangulate your location. Goldson malware can determine your location more accurately than GPS, especially indoors. They can also try to hack into your network and steal more personal information.

Goldson Malware

This malware first collects all the installed apps and synced devices via your device’s Bluetooth, GPS, or Wi-Fi. To stay informed about you, it re-collects data every two days. It can also perform ad fraud by clicking on ads in the background without users’ consent. Android 11 or higher devices are more insulated from this threat, but this needs to be confirmed because less than 10% of the apps with Goldoson have ‘QUERY_ALL_PACKAGES,’ allowing access to app information and sensitive data.

Once users download and install the launch that contains Goldoson, the library registers the device and receives a configuration from the remote server whose domain is obfuscated. These updated configurations contain the parameters for data-stealing and ad-clicking functions that Goldson should run on the infected device and how often.

Goldson Malware can also perform other malicious activities, such as installing other malware on the device, stealing files from the device, disrupting the device’s operations, and taking control of the device. As mentioned above, it is set to be active every two days, sending data to the C2 service, a command and control server used by attackers to control the infected device. They can send commands to the infected device, receive data from the infected device, and update the malware on the infected device.

These apps have been downloaded millions of times from the Google Play Store. Check out these lists:

Application NameGooglePlay DownloadsGooglePlay DownloadsGPStatus
com.lottemembers.androidL.POINT with L.PAY10M+Updated*
com.Monthly23.SwipeBrickBreakerSwipe Brick Breaker10M+Removed**
com.realbyteapps.moneymanagerfreeMoney Manager Expense & Budget10M+Updated*
com.skt.tmap.kuTMAP – 대리,주차,전기차 충전,킥보 …10M+Updated*
kr.co.lottecinema.lcm롯데시네마10M+Updated*
com.ktmusic.geniemusic지니뮤직 – genie10M+Updated*
com.cultureland.ver2컬쳐랜드[컬쳐캐쉬]5M+Updated*
com.gretech.gomplayerkoGOM Player5M+Updated*
com.megabox.mop메가박스(Megabox)5M+Removed**
kr.co.psynetLIVE Score, Real-Time Score5M+Updated*
sixclk.newpikiPikicast5M+Removed**
com.appsnine.compassCompass 9: Smart Compass1M+Removed**
com.gomtv.gomaudioGOM Audio – Music, Sync lyrics1M+Updated*
com.gretech.gomtv곰TV – All About Video1M+Updated*
com.guninnuri.guninday전역일 계산기 디데이 곰신톡–군인 …1M+Updated*
com.itemmania.imiapp아이템매니아 – 게임 아이템 거래 …1M+Removed**
com.lotteworld.android.lottemagicpassLOTTE WORLD Magicpass1M+Updated*
com.Monthly23.BounceBrickBreakerBounce Brick Breaker1M+Removed**
com.Monthly23.InfiniteSliceInfinite Slice1M+Removed**
com.pump.noraebang나홀로 노래방–쉽게 찾아 이용하는 …1M+Updated*
com.somcloud.somnoteSomNote – Beautiful note app1M+Removed**
com.whitecrow.metroidKorea Subway Info : Metroid1M+Updated*
kr.co.GoodTVBibleGOODTV다번역성경찬송1M+Removed**
kr.co.happymobile.happyscreen해피스크린 – 해피포인트를 모으 …1M+Updated*
kr.co.rinasoft.howuseUBhind: Mobile Tracker Manager1M+Removed**
mafu.driving.free스피드 운전면허 필기시험 …1M+Removed**
com.wtwoo.girlsinger.worldcup이상형 월드컵500K+Updated*
kr.ac.fspmobile.cuCU편의점택배500K+Removed**
com.appsnine.audiorecorder스마트 녹음기 : 음성 녹음기100K+Removed**
com.camera.catmera캣메라 [순정 무음카메라]100K+Removed**
com.cultureland.plus컬쳐플러스:컬쳐랜드 혜택 더하기 …100K+Updated*
com.dkworks.simple_air창문닫아요(미세/초미세먼지/WHO …100K+Removed**
com.lotteworld.ticket.seoulsky롯데월드타워 서울스카이100K+Updated*
com.Monthly23.LevelUpSnakeBallSnake Ball Lover100K+Removed**
com.nmp.playgeto게토(geto) – PC방 게이머 필수 앱100K+Removed**
com.note.app.memorymemo기억메모 – 심플해서 더 좋은 메모장100K+Removed**
com.player.pb.stream풀빵 : 광고 없는 유튜브 영상 …100K+Removed**
com.realbyteapps.moneyaMoney Manager (Remove Ads)100K+Updated*
com.wishpoke.fanciticonInssaticon – Cute Emoticons, K100K+Removed**
marifish.elder815.ecloud클라우드런처100K+Updated*
com.dtryx.scinema작은영화관50K+Updated*
com.kcld.ticketoffice매표소–뮤지컬문화공연 예매& …50K+Updated*
com.lotteworld.ticket.aquarium롯데월드 아쿠아리움50K+Updated*
com.lotteworld.ticket.waterpark롯데 워터파크50K+Updated*
com.skt.skaf.l001mtm091T map for KT, LGU+50K+Removed**
org.howcompany.randomnumber숫자 뽑기50K+Updated*
com.aog.loader로더(Loader) – 효과음 다운로드 앱10K+Removed**
com.gomtv.gomaudio.proGOM Audio Plus – Music, Sync l10K+Updated*
com.NineGames.SwipeBrickBreaker2Swipe Brick Breaker 210K+Removed**
com.notice.safehome안심해 – 안심귀가 프로젝트10K+Removed**
kr.thepay.chuncheon불러봄내 – 춘천시민을 위한 공공  …10K+Removed**
com.curation.fantaholic판타홀릭 – 아이돌 SNS 앱5K+Removed**
com.dtryx.cinecube씨네큐브5K+Updated*
com.p2e.tia.tntTNT5K+Removed**
com.health.bestcare베스트케어–위험한 전자기장, …1K+Removed**
com.ninegames.solitaireInfinitySolitaire1K+Removed**
com.notice.newsafe안심해 : 안심지도1K+Removed**
com.notii.cashnote노티아이 for 소상공인1K+Removed**
com.tdi.dataoneTDI News – 최초 데이터 뉴스 앱 …1K+Removed**
com.ting.eyesting눈팅 – 여자들의 커뮤니티500+Removed**
com.ting.tingsearch팅서치 TingSearch50+Removed**
com.celeb.tube.krieshachu츄스틱 : 크리샤츄 Fantastic50+Removed**
com.player.yeonhagoogokka연하구곡10+Removed**

Even after uninstalling these apps, you can check the device for other signs of malware infection, like the device heating up, battery drain, and unusually high internet data usage, even when you are not using your device. To check for and remove malicious apps from your device, navigate to Device Settings > Security or App Protection. From there, look for apps you don’t recognize or need to remember to install. If you find any suspicious apps, then uninstall them instantly. You can also use a security app to scan your device for malware.

Stay protected. Use a strong password for your Wi-Fi network, keep your network up-to-date, use a firewall to protect your device from unauthorized access, be aware of what apps you install, and most importantly, use a strong password and 2FA authentication for your online accounts.

You can stay protected by updating your device with the latest security patch. These updates often include security patches that can help protect your device from malware. Install apps from trusted sources like the Google Play Store. Be aware when granting app permissions. Use a security app to scan for malware. If your device gets infected with malware, contact your manufacturer or a security expert.