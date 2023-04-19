



Malware capable of stealing data and performing click fraud entered 60 mobile apps via infected third-party libraries. The infected app has been downloaded more than 100 million times by him from the official Google Play store and is also available in other app stores in South Korea, researchers have found.

Discovered and named by researchers at McAfee Labs, Goldoson is capable of performing a variety of malicious activities on Android-based devices, they said in a blog post. In addition to collecting the list of installed applications, this malware can also steal the location of nearby devices via Wi-Fi and Bluetooth. Ad fraud can also be carried out by clicking on ads in the background without the user’s consent or knowledge, researchers say.

Some of the popular Goldoson-affected apps include L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, Lotte Cinema, Live Score, and GOM. Researchers found more than 100 million downloads of the infected app on Google Play and over 8 million times on ONE, South Korea’s leading mobile app store.

McAfee reported the infected app to Google. Google immediately notified the developer that the app violated Google Play’s policies and that the app should be fixed. You didn’t mention in your post whether or not you contacted the ONE app store.

Some apps have been completely removed from Google Play, while others have been updated by their official developers. McAfee recommends that users of affected apps update to the latest versions of the apps listed in the post to remove traces of Goldoson from their devices.

SangRyol Ryu of McAfee’s mobile research team wrote, “Although the malicious library was written by someone else, not the app developer, the risk remains to the app installer.” .

How Gordawson Works

The Goldoson library registers the device immediately after it is infected and retrieves the remote configuration from the command and control server (C2) when the app is running at the same time. Evades detection by obfuscating by changing the library name and remote server domain for each application. The developer named it “Goldoson” because this is the first domain name they found.

A remote configuration contains parameters for each function of the app and specifies how often the component should run.

“Based on the parameters, the library periodically checks, retrieves device information, and sends it to the remote server,” wrote Ryu.

Goldoson’s ability to collect data from all apps on the device comes from a permission called “QUERY_ALL_PACKAGES” that it requests from the device. Users of devices with Android version 11 or higher seem to be more protected from this query, with only about 10% of the cases McAfee observed exhibiting the vulnerability, the researchers said. increase.

The malware requests permissions to access locations, storage, or camera from devices running Android 6.0 and higher when it runs. If the location permission is allowed, infected apps can access not only GPS data, but also Wi-Fi and Bluetooth information from nearby devices, making it possible to more accurately locate an infected device, especially indoors. Researchers point out that it can be identified. Determining or discovering a user’s location exposes them to further malicious activity.

Goldoson can load webpages without users knowing about features that attackers can exploit to load ads for financial gain, researchers say. Technically speaking, this works because the library loads some HTML code, injects it into a customized hidden her WebView, and recursively visits the URL to generate hidden traffic Because, they explained.

Goldoson sends data collected from the device to the attackers every two days. An attacker can change this cycle using remote configuration.

Third-party mobile app component risks

Goldoson’s presence once again demonstrates how quickly malicious activity can spread when it’s part of a third-party or open-source component that developers incorporate into their applications without knowing it’s infected. researchers said.

This is well documented in the Apache Log4j debacle, which turned out to contain an easily exploitable vulnerability in the logging library used in almost every Java environment. Declared a unique cyberthreat by the Department of Homeland Security, the impact of Log4j could be felt in the coming years as many existing applications remain vulnerable.

In fact, this ability to quickly acquire large numbers of malicious footprints without the knowledge of organizations or developers is lost by attackers. In response, malware and known vulnerabilities such as Log4j are increasingly being used to target the software supply chain, a trend that will continue as they become more successful, security experts say. Observing.

Kern Smith, Vice President of Sales Engineering for the Americas at Zimperium, a mobile security company.

Demand for transparency

According to experts, transparency across organizations and developer teams seems to be the best way to mitigate problems in the software supply chain.

Both developers and organizations that use applications that contain open source or third-party components must assess the risks of these applications and their components, especially as they relate to the software bill of materials (SBOM). ”, which provides an inventory of the components. Software he is the component, says Smith.

In fact, developers should be willing to reveal the libraries and other components used in the applications they develop and deliver to protect their users and prevent compromise through infected or vulnerable components. , said McAfee researchers.

Also, developers of external libraries should be transparent about their code. This helps organizations and developers using the external library to understand its behavior and quickly recognize any problems that may arise.

