In the latest example of supply chain attack shenanigans, unnamed hackers have reportedly managed to compromise 100 million Android devices with data-harvesting malware.
Cybersecurity researchers from McAfee recently discovered a third-party library that they dubbed Goldoson.
The library was added to 60 extremely popular Android apps that users can download via the Play Store and the OneStore (Play Store’s biggest competitor in South Korea). The library was malicious and collects data on installed apps, data on Wi-Fi- and Bluetooth-connected endpoints, and GPS location data.
Adware
The researchers describe Goldoson as “privacy-invasive and clicker Android adware”, as it can click on ads in the background, without the device owner’s consent. The targets are mostly South Korean, it would seem.
Some of the most popular Android apps that fell prey to this attack are L.POINT with LPAY, Swipe Brick Breaker, and Money Manager Expense & Budget, all of which have in excess of 10 million downloads.
Then there’s GOM Player, LIVE Score, Real-Time Score, and Pikicast, with five million downloads each, and a handful of other apps with more than a million downloads.
The amount of data stolen from a device depends on the permissions each app has on the smartphone. According to BleepingComputer, Android 11 and newer versions are better protected against arbitrary data collection (opens in new tab), but even in that case, McAfee found Goldoson being able to extract data in 10% of the apps.
The researchers notified Google about their findings which, in turn, raised the question with the apps’ developers, who were told their apps now violated Google Play policies. While most developers acted promptly and updated their apps to remove the malicious content, some failed to respond. Google removed these apps from the app repository, it was said.
Therefore, to stay safe from malicious adware and data-harvesting malware, make sure to update your apps to the latest version. If some of your apps are no longer available on the Play Store, it might be best to remove them.
Via: BleepingComputer (opens in new tab)
