In brief: Despite Google's safeguards for keeping malware-infected apps off its Play Store, malicious software still slips through the cracks. The latest of these is a privacy-stealing ad-clicker found in 60 apps that had been downloaded over 100 million times.
McAfee's mobile research team discovered a third-party software library it named Goldoson, which collects sensitive information and performs ad fraud. However, the developers who used Goldoson didn't realize that they were adding a malicious malware component to their programs.
Once installed, Goldoson is able to collect data on the apps installed on a device, a history of WiFi and Bluetooth-connected devices, and nearby GPS locations.
But the most insidious part of the malware is that it can also perform fraud by clicking ads in the background without a user's consent. This is achieved by the library loading HTML code and injecting it into a customized, hidden WebView, using it to visit multiple URLs to generate ad revenue – all without the user realizing what's happening.
McAfee writes that once an app that uses Goldoson is installed, the library registers the device and receives its remote configurations at the same time the app runs. The library name and the remote server domain vary with each application, and the latter is obfuscated.
Some of the affected apps with the largest number of downloads include L.Point with L.Pay, Swipe Brick Breaker, Money Manager Expense & Budget, GOM Player, Live Score, GOM Audio, and Compass 9. There have been more than 100 million downloads of these apps through the Google Play Store, while around 8 million came from the ONE store, Korea's leading app store. Check out all the impacted apps here.
The good news is that users with devices running Android 11 and above are more protected against apps that attempt to gather information on other applications installed on a device. However, McAfee found that even on the latest version of the operating system, Goldoson was able to collect sensitive information on around 10% of installed apps. How much data is collected depends on how many permissions a user grants the app during the installation process.
McAfee reported the offending apps to Google, which in turn notified the developers that their apps violated Google Play policies and needed fixing. Those who didn't respond in time had their apps removed from the Play Store, while the apps that remain have been updated by their devs. Anyone who may have installed one of these apps should update them to their latest versions.