Remove These Malicious Apps From Your Android Device As Soon As Possible

In an ideal world, every app you download from the Play Store would be perfectly safe. After all, Google has strict rules and regulations in place to weed out any apps that might try to harm potential users. Unfortunately, we do not live in an ideal world, and malware enters official marketplaces every day. The last example includes dozens of applications downloaded millions of times without the knowledge of both users and developers.

Goldoson malware goes far

The McAfee mobile research team has discovered a new malicious library, which they have identified as “Goldoson”, which made its way to the Google Play Store and the South Korean ONE Store through 60 approved apps. Overall, Goldoson’s apps have been downloaded 100 million times, with three apps having 10 million downloads each. Bleeping Computer identified the 13 most popular applications affected by this hack:

• L.POINT with L.PAY: 10 million downloads
• Swipe Brick Breaker: 10 million downloads
• Money Manager Expense & Budget: 10 million downloads
• GOM Player: 5 million downloads
• LIVE Score, Real-Time Score: 5 million downloads
• Pikicast: 5 million downloads
• Compass 9: Smart Compass: 1 million downloads
• GOM Audio – Music, Lyrics Sync: 1 million downloads
• LOTTE WORLD Magicpass: 1 million downloads
• Bounce Brick Breaker: 1 million downloads
• Infinite Slice: 1 million downloads
• SomNote – Beautiful note taking app: 1 million downloads
• Korea Subway Information: Metroid: 1 million downloads

However, unlike previous detections of malicious apps, the developers of these 60 apps were not deliberately implicated. Their applications were legitimate, but they relied on a third-party library containing the Goldoson malware.

How does Goldson work?

We know from McAfee research that Goldoson collects lists of apps you install on your device, as well as a log of Wi-Fi networks, Bluetooth connections, and GPS locations. The library only has access to this information if you grant it, but since there was nothing suspicious in the applications initially, these permissions may have been granted. The library can then click ads in the background without your knowledge, profiting from ad fraud.

When you install an application that interacts with the Goldoson library, it registers your device and starts communicating with the server. The server then determines how often Goldoson should click on ads or steal your data. This usually runs every two days, after which it sends a complete list of all apps, location history, number of devices and network connections it has discovered during that time.

Update or uninstall these apps as soon as possible

According to McAfee’s list, all of these apps are currently either updated or removed from the Play Store. That means you need to be active: take a look at the list of apps in the McAfee report and see if your Android device has them. If so, take note of which apps have been updated and which have been removed. If an update is available, install it as soon as possible. However, if the app is no longer in the Play Store, delete it immediately. Google may have removed the app from the Play Store, but this will not affect its placement on your device.