The Play Store has been infiltrated by malware again! McAfee security experts have identified 60 popular Android apps that steal personal data and engage in ad fraud.
Once again, the Play Store is hit by a wave of infected mobile applications – it has become a habit. Even though Google has many tools aimed at keeping them out of its store, cybercriminals never lack the imagination to circumvent them. This time, it’s not fake apps imitating official apps, but malware that has infected real official apps, some of which are very popular: in total, around sixty apps are affected, which represent all of even over 100 million downloads!
Named Goldoson, this nasty piece of malware hacked these legitimate applications without even the knowledge of their developers, through a compromised third-party library – a ready-to-use “software brick”, as many applications exploit. Discovered by McAfee security researchers, Goldoson is able to collect data from installed applications as well as view the list of devices connected to Wi-Fi and Bluetooth, and the user’s GPS positions. It can also be used to simulate clicks on advertisements, tricking advertisers into believing that their ads are generating a lot of interaction – and earning a lot of money through affiliate links along the way. This is simply ad fraud. In addition, this process tends to very quickly drain the battery of the smartphone!
Goldoson Malware: Data Theft and Ad Fraud
Initially, applications infected with Goldoson are perfectly normal. The problem comes from the fact that they use a library which has been corrupted by pirates. As a result, by launching an infected app, users unknowingly activate Goldoson, which registers their devices in its database and sets up data theft and click-through procedures, and by setting the frequency and trigger conditions of these actions.
The data from the infected device is usually sent to the hackers’ server every two days. However, the level of infection depends on the type and number of permissions that the infected application has, as well as the Android version used. Indeed, Android 11 and higher versions make it more difficult for illegal data harvesting, but according to researchers, malware can still grab sensitive data from 10% of apps.
Some of these apps are famous in South Korea, but also elsewhere in the world, like the multimedia file player GOM Player. Google and the application developers have obviously been warned by McAfee. Most are now removed from the official store or healthy again, after the library was taken down. However, the malware remains relevant. Here are the main infected apps on the Play Store that have been detected by McAfee. Note that we have excluded from this list applications with names in Asian characters, which are unlikely to be downloaded from the Play Store in French.
- GOM Player
- GOM-Audio
- L.POINT with L.PAY
- Swipe Brick Breaker
- Money Manager Expense & Budget
- Megabox
- LIVE Score, Real-Time Score
- Pikicast
- Compass 9: Smart Compass
- TV – All About Video
- LOTTE WORLD Magic pass
- Bounce Brick Breaker
- Infinite Slice
- SomNote – Beautiful note app
- Korea Subway Info: Metroid
- UBhind: Mobile Tracker Manager
- Snake Ball Lover
- Money Manager (Remove Ads)
- Inssaticon – Cute Emoticons, K
- T map for KT, LGU+
- GOM Audio Plus – Music, Sync l
- Swipe Brick Breaker 2
- DTT
- InfinitySolitaire
If all the applications are not available on the French versions of the official store, some of them are however a worldwide success. Also, if you have any of them installed on your smartphone, uninstall it immediately. For security, it is better that you change your passwords – take complex and unique ones for each account – and that you monitor the transactions on your bank account. Keep in mind that just because you’re downloading an app from an official store doesn’t mean you won’t be at risk. That’s why it’s best to only install apps you really need and remove the ones you no longer use. Before each download, take the time to check the small details that could give you a hint – number of downloads, reviews, name of the developer, authorization requests, other apps developed… In any case, the better It’s worth having an antivirus running in the background to double-check that malicious behavior isn’t secretly at work.