Apps on Google Play with 100 million downloads infected by malware, says report

Some of the affected apps are:

L.POINT with L.PAY - 10 million downloads

Swipe Brick Breaker - 10 million downloads

Money Manager Expense & Budget - 10 million downloads

GOM Player - 5 million downloads

LIVE Score, Real-Time Score - 5 million downloads

Pikicast - 5 million downloads

Compass 9: Smart Compass - 1 million downloads

GOM Audio - Music, Sync lyrics - 1 million downloads

LOTTE WORLD Magicpass - 1 million downloads

Bounce Brick Breaker - 1 million downloads

Infinite Slice - 1 million downloads

SomNote - Beautiful note app - 1 million downloads

Korea Subway Info: Metroid - 1 million downloads

In addition, the report claims that it has the ability to engage in ad fraud by secretly clicking advertisements.

The library registers the device and gets its configuration from an obscured remote server when a user launches a Goldoson-containing app.

The configuration details the data-stealing and ad-clicking activities Goldoson should perform on the infected device, as well as how often.

According to the research, the data collecting mechanism is frequently set to activate every two days and send the C2 server a list of installed apps, a history of past whereabouts, the MAC addresses of devices linked via Bluetooth and WiFi, and other data.

The permissions supplied to the malicious software during installation as well as the Android version affect how much data is collected.

Although devices running Android 11 or later are better protected against arbitrary data collection, researchers discovered that Goldoson had enough rights to acquire sensitive data in 10 percent of the apps even in newer versions of the OS, the report mentioned.

"Users who installed an impacted app from Google Play can remediate the risk by applying the latest available update," BleepingComputer said in its report.

Ad revenue is generated by loading HTML code, injecting it into a tailored, hidden WebView, and then utilising that to carry out many URL requests.

The victim's device shows no evidence of this action.

Google's Threat Analysis gang shut down thousands of accounts in January that were connected to the "Dragonbridge" or "Spamouflage Dragon" gang, which spread false information favourable to China on multiple platforms.

The tech giant claims that Dragonbridge purchases new Google Accounts from bulk account vendors and that occasionally they have even utilised accounts that had previously been used by actors with financial motivations and were then used to post blogs and videos that spread misinformation.