The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Goldoson Android Adware

Apr 28, 2023 2:51:23 PM / by The Hivemind

Goldoson

Executive Summary

Goldoson, a privacy-invasive and clicker adware, was recently discovered in several popular Android apps in South Korea. It generates revenue for the threat actors via fraudulent recursive visits to hidden ads on the infected device.

Key Takeaways

  • Goldoson, a privacy-invasive and clicker adware, was recently discovered in several popular Android apps in South Korea.
  • The adware generates revenue for its creators via fraudulent recursive visits to hidden ads on the infected device.
  • The adware is integrated into legitimate apps and requests excessive permissions from users.

What is Goldoson?

McAfee recently reported on a privacy-invasive and clicker adware called Goldoson, found in several popular Android apps in South Korea. It is present in the apps due to being part of a third-party library. The adware's primary objective is to generate revenue for its creators using fraudulent recursive visits to hidden ads on the infected device.

McAfee researchers found that the adware is integrated into legitimate apps, which, once downloaded, request excessive permissions from users. These permissions include the ability to access SMS messages, call logs, and device information. In some cases, the adware was found to open web pages in the background without the user's knowledge, which can lead to a significant drain on the device's battery life.

McAfee researchers identified more than 60 popular apps in South Korea infected with Goldoson, including a popular mobile game with over 10 million downloads. The adware is believed to have infected tens of thousands of devices in South Korea. However, it is possible the adware could spread to other countries if the infected apps are downloaded from third-party app stores.

Goldoson highlights the threats posed by third-party libraries that may be used by developers of legitimate apps, who are unaware of their potentially malicious nature. Goldoson also highlights the threats posed by adware and the need for users to be cautious when downloading apps. To minimize the risk of adware and other potentially unwanted programs, only download apps from official app stores and carefully review the permissions requested by the app before installing it.

IOCs

PolySwarm is currently monitoring for samples of Goldoson.

You can use the following CLI command to search for all Goldoson samples in our portal as they become available:

$ polyswarm link list -f Goldoson


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Android, Mobile, Goldoson, Adware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More