A malicious software library, named Goldoson, has been spotted harvesting lists of applications installed on mobile devices, along with other private data, and using them to perform ad fraud. It has already infected more than 60 genuine applications with over 100 million downloads across South Korea.

Privacy breach plus click fraud

According to McAfee Labs, the infected apps are churning out financial gains via click-ad frauds while threatening the privacy of the device users.
  • Goldoson Library loads the HTML-coded web pages on the infected device, and inject them into hidden WebView. This way, it keeps generating traffic on the affiliate websites recursively without the user’s awareness. For this, it injects HTML code into a custom WebView, which is not displayed on the screen.
  • Moreover, the library collects the list of applications installed, the history and MAC addresses of recent Wi-Fi and Bluetooth connections, and GPS locations.
  • This data is sent to attacker-controlled servers, as per the remote configuration, usually once every two days.

The infected applications are hosted on Google Play (over 100 million downloads) and the South Korean app store ONE store has nearly eight million downloads.

Operational details

According to the report, the name of the library and the remote server domain are obfuscated and change dynamically with the application. 
  • When the malicious apps are run, Goldoson registers the infected device and simultaneously obtains the remote configurations for its operations.
  • The remote configuration includes the values for specific parameters, such as the number and duration of ads, interim delays, and how often various components would run.
  • Based on these parameters, the library scans the device, collects the information, and sends it to the remote server. 

Concluding notes

Goldoson library and associated applications are clear examples of the increasing scale and impact of mobile threats on reputed app stores, including Google Play and One store. Thus, when downloading any applications, users should always perform due diligence, especially for new apps without good reviews.
Cyware Publisher

Publisher

Cyware