Goldoson Malware in Popular Android Apps

Researchers have discovered a new malicious software library dubbed as Goldoson which can collect lists of installed applications, a history of Wi-Fi and Bluetooth device information as well as nearby GPS location data.

The library can also load web pages without user awareness and perform advertisement fraud by clicking on ad links in the background without the victim’s consent.

It has been found that more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains.

The Goldoson library registers the device and gets remote configurations while the app runs. The library name and the remote server domain vary with each application and are obfuscated. The remote configuration contains the parameters for each functionality, specifying how often it runs the components.

Researchers said it notified Google of the malicious apps. As a result of the disclosure, some apps were removed from Google Play while others were updated by the official developers.

As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information

List of Domains

• bhuroid.com
• enestcon.com
• htyyed.com
• discess.net
• gadlito.com
• gerfane.com
• visceun.com
• onanico.net
• methinno.net
• goldoson.net
• dalefs.com
• openwor.com
• thervide.net
• soildonutkiel.com
• treffaas.com
• sorrowdeepkold.com
• hjorsjopa.com
• dggerys.com
• ridinra.com
• necktro.com
• fuerob.com
• phyerh.net
• ojiskorp.net
• rouperdo.net
• tiffyre.net
• superdonaldkood.com
• soridok2kpop.com