Full Report
Authored by SangRyol Ryu McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications... The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.
Analysis Summary
# Main Topic
Discovery and analysis of **Goldoson**, a privacy-invasive and clicker Android adware software library embedded within popular legitimate applications primarily targeting South Korean users.
## Key Points
- **Functionality:** Goldoson collects sensitive device information, including lists of installed applications, Wi-Fi/Bluetooth device history (including nearby GPS locations), and sends this data periodically (default cycle every two days, configurable remotely).
- **Ad Fraud:** The library possesses functionality to perform ad fraud by loading advertisements in a hidden, injected WebView and recursively visiting associated URLs without user awareness or consent, generating illicit financial profit.
- **Distribution:** The malicious library was found in over 60 applications across Google Play and the South Korean ONE store, accumulating over 100 million confirmed downloads.
- **Data Sensitivity:** Collected data includes sensitive user identifiers and location information derived from surrounding Wi-Fi/Bluetooth signals (BSSID/RSSI), which offers accurate localization, especially indoors.
- **Persistence/Evasion:** The library employs obfuscation, mutates class names, and uses remote configuration to determine when and how to execute its data collection and ad functionality.
## Threat Actors
- The malicious library was created by an unknown third party; the app developers were likely unaware of the malicious inclusion.
- **Motivation:** Financial gain through ad fraud and mass collection of sensitive user information for potential aggregation and identification.
## TTPs
- **T1059 - Command and Scripting Interpreter:** Utilizes remote configuration parameters (e.g., `ads_enable`, `collect_enable`) to control execution flow.
- **T1083 - File and Directory Discovery:** Gathers application lists, potentially leveraging the `QUERY_ALL_PACKAGES` permission (found in ~10% of infected apps on newer Android versions).
- **T1560 - Archive Collected Data:** Data, including installed apps and network identifiers, is formatted as JSON before exfiltration.
- **T1071 - Application Layer Protocol:** Exfiltrates data to various remote servers.
- **T1447 - System Information Discovery:** Captures network location data (BSSID/RSSI) alongside GPS data when Location permission is granted.
- **Ad Fraud Technique:** Loads HTML content into a hidden `WebView` to generate background ad traffic.
## Affected Systems
- **Platform:** Android operating systems.
- **Victims:** Users of popular applications in South Korea utilizing the included library. Over 100 million downloads tracked globally, with a significant concentration in the Korean market (Google Play and ONE store).
- **Affected Apps Examples (Partial List):** L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, TMAP.
## Mitigations
- **User Action:** Users are strongly encouraged to update applications to the latest versions available from official stores to ensure the malicious library is removed.
- **Platform Action:** Google has notified violating developers; some apps were removed, and others were updated to meet compliance.
- **Detection:** McAfee Mobile Security detects the threat under the signature **Android/Goldoson**.
- **Developer Best Practice:** App developers should be transparent about the third-party libraries integrated into their software and implement safeguards to protect user information against malicious dependencies.
## Conclusion
Goldoson represents a significant supply chain risk, where malicious functionality is introduced via third-party libraries rather than being implemented by the primary application developer. The primary threats are mass surveillance via sensitive data collection and direct financial harm through invisible ad click fraud. Immediate user remediation is achieved by updating widely distributed applications.
---
# Morning News Roll-up {current_date}
## Overview
Due to space constraints and the focus instruction, this section will list the three most relevant findings/stories derived directly from the Goldoson threat intelligence context provided.
## Top Stories
### Goldoson Adware Discovered in 60+ Popular Android Apps
- Summary: McAfee identified the Goldoson software library, embedded in over 60 Android applications primarily popular in South Korea (totaling over 100 million downloads), which conducts privacy invasion and ad fraud.
- Source: McAfee Blog (Inferred from context)
### Data Exfiltration Includes Location and Installed App Lists
- Summary: The Goldoson library periodically collects and transmits sensitive data, including the complete list of installed applications, Wi-Fi/Bluetooth device MAC addresses, and location history derived from nearby signal indicators (BSSID/RSSI).
- Source: McAfee Blog (Inferred from context)
### Ad Fraud Mechanism Relies on Hidden WebView Injection
- Summary: The library executes ad fraud by secretly loading HTML content into a hidden WebView instance and recursively visiting URLs, generating background ad traffic for financial gain without user consent.
- Source: McAfee Blog (Inferred from context)