New Android malicious library Goldoson found in 60 apps +100M downloads

New Android malicious library Goldoson found in 60 apps +100M downloads

A new Android malware named Goldoson was distributed through 60 legitimate apps on the official Google Play store.

The Goldoson library was discovered by researchers from McAfee’s Mobile Research Team, it collects lists of applications installed on a device, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. The third-party library can perform ad fraud by clicking advertisements in the background without the user’s consent. The experts have found more than 60 applications in Google Play that were containing the malicious library. The apps totaled more than 100 million downloads in the ONE store and Google Play stores in South Korea. 

It is important to highlight that the library was not developed by the authors of the apps. 

The security firm reported its findings to Google, which notified the development teams. Some apps were updated by removing the malicious library, while other apps were removed from Google Play.  

Below is the list of the apps using the malicious library that had the highest number of downloads:

Package Name  Application Name  GooglePlay Downloads  GP
Status  L.POINT with L.PAY  10M+   Updated* 
com.Monthly23.SwipeBrickBreaker  Swipe Brick Breaker  10M+  Removed** 
com.realbyteapps.moneymanagerfree  Money Manager Expense & Budget  10M+  Updated* 
com.skt.tmap.ku  TMAP – 대리,주차,전기차 충전,킥보 …  10M+  Updated*  롯데시네마  10M+  Updated* 
com.ktmusic.geniemusic  지니뮤직 – genie  10M+  Updated* 
com.cultureland.ver2  컬쳐랜드[컬쳐캐쉬]  5M+  Updated* 
com.gretech.gomplayerko  GOM Player  5M+  Updated* 
com.megabox.mop  메가박스(Megabox)  5M+  Removed**  LIVE Score, Real-Time Score  5M+  Updated* 
sixclk.newpiki  Pikicast  5M+  Removed**

Upon executing one of the above apps, the Goldoson library registers the device and gets configurations from a remote server. 

“Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers.” reads the analysis published by the security firm. “The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability.”

The library can load web pages without user awareness, this means that the malware can load ads for financial profit. 


The collected data is sent to the C2 server every two days, but the cycle depends on the remote configuration.

The level of data collection depends on the permissions granted to the app using the malicious library. McAfee discovered that even in recent Android versions, Goldoson was able to gather sensitive data in 10% of the apps.

“As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information.” concludes the report.

Please vote for Security Affairs ( as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens Metaverse)

Leave a Reply

Your email address will not be published. Required fields are marked *