A new Android virus known as “Goldoson” that has been found in 60 genuine apps with a combined total of 100 million downloads has entered Google Play.
According to BleepingComputer, the creators unintentionally inserted a third-party library into all sixty of the apps, which contains the harmful virus component.
The research team at McAfee found Android virus that is capable of gathering a variety of private data, including details on the user’s installed apps, WiFi and Bluetooth-connected devices, and GPS coordinates.
In addition, the report claims that it has the ability to engage in ad fraud by secretly clicking advertisements.
The library registers the device and gets its configuration from an obscured remote server when a user launches a virus Goldoson-containing app.
The configuration details the data-stealing and ad-clicking activities Goldoson should perform on the infected device, as well as how often.
Android Virus ‘Goldoson’ Data Collection Mechanism
According to the research, the data collecting mechanism is frequently set to activate every two days and send the C2 server a list of installed apps, a history of past whereabouts, the MAC addresses of devices linked via Bluetooth and WiFi, and other data.
The permissions supplied to the malicious software during installation as well as the Android version affect how much data is collected.
Researchers found that Goldoson had sufficient rights to obtain sensitive data in 10% of the apps, even in newer versions of the OS, despite the fact that Android 11 and later are more secured against arbitrary data collection, the report stated.
By loading HTML code, injecting it into a tailored, hidden WebView, and then utilizing that to carry out many URL requests, advertising revenue is produced. The victim’s device shows no evidence of this action.
Google’s Threat Analysis gang shut down thousands of accounts in January that were connected to the “Dragonbridge” or “Spamouflage Dragon” gang, which spread false information favorable to China on multiple platforms.
The tech giant claims that Dragonbridge purchases new Google Accounts from bulk account vendors and that occasionally they have even utilized accounts that had previously been used by actors with financial motivations and were then used to post blogs and videos that spread misinformation.
To read our blog on “BTC mining malware designed to imitate Google Translate desktop,” click here.