Security researchers have discovered a new malicious software library that can collect lists of installed applications, historical Wi-Fi and Bluetooth device information, and nearby GPS location data.
The library, dubbed Goldoson by McAfee’s Mobile Research Team, can also load web pages without the user’s knowledge or perform ad fraud by clicking ad links in the background without the victim’s consent. can.
McAfee’s SangRyol Ryu said: “The malicious library was created by someone else, not the app’s developer, but still poses a risk to the app’s installer.”
Learn more about mobile threats here: Unapproved apps used by 32% of remote workers
From a technical perspective, the Goldoson library registers devices and retrieves remote configurations while the app is running.
“The library name and remote server domain are different and obfuscated for each application.
Additionally, the remote configuration contains parameters for each function, specifying how often the component should run.
“Based on the parameters, the library periodically checks, retrieves the device information and sends it to the remote server,” reads the advisory. For example, collected data is sent every two days by default, but this cycle can be changed by remote configuration.
The McAfee team said they notified Google of the malicious app. As a result of the disclosure, some apps have been removed from Google Play and others have been updated by their official developers.
“As our application grows in size and continues to leverage additional external libraries, it is important to understand how the application works,” concludes Ryu. “App developers should be upfront about the libraries they use and take precautions to protect their users’ information.”
The disclosure of the Goldoson library comes months after Kaspersky security researchers announced they had discovered 196,476 new mobile banking Trojan installers in 2022. This is double his number observed in 2021.
