Goldoson malware
Android Malware ‘Goldoson’ Infects Google Play via 60 Legitimate Apps with 100 Million Downloads

A new Android malware named ‘Goldoson’ has infiltrated Google Play by exploiting third-party libraries in 60 legitimate apps that collectively have over 100 million downloads. The malicious malware component was added to the apps by the developers unknowingly. McAfee’s research team discovered Goldoson can carry out ad fraud by automatically clicking ads in the background without users’ consent and collecting data on installed apps, WiFi, Bluetooth-connected devices, and user GPS locations.

Goldoson Exploits Third-Party Library to Infect Users

Google Play is a platform that allows Android users to download their favorite apps securely. However, Goldoson has managed to infiltrate the platform by exploiting third-party libraries in 60 legitimate apps, with some apps having a massive user base. For instance, L.POINT with L.PAY, Swipe Brick Breaker, and Money Manager Expense & Budget have ten million downloads each, and GOM Player, LIVE Score, Real-Time Score, and Pikicast have five million downloads each.

Goldoson uses a third-party library that developers added to their apps unknowingly. When a user launches an app that contains Goldoson, the library registers the device. Then it receives its configuration from a remote server whose domain is obfuscated. The configuration determines which data the malware should steal, which ad-clicking functions should execute, and how often. The level and type of data collection depends on the permissions granted or given to the infected app during its installation and the Android version.

McAfee Detects Goldoson’s Data-Stealing Abilities and Ad Fraud Tactics

McAfee’s research team detected Goldoson’s ability to collect sensitive data, such as installed apps and user GPS locations from infected devices. It can also carry out ad fraud automatically by clicking ads in the background without a user’s consent, thereby generating revenue for the malware’s operators.

Goldoson loads HTML code and then injects it into a customized, hidden WebView to generate revenue with multiple URL visits. An infected user does not see any indication of this malicious activity on their device. Data collection varies depending on the permissions granted during installation and the Android version. Android 11 has better protection against arbitrary data collection.

Remediation for Infected Users

Users that installed the apps containing Goldoson from Google Play can mitigate the risk by applying the latest available update. Developers of the impacted apps have received a notification to fix their apps to come into compliance with Google Play policies. Google confirmed that the affected apps violated Google Play policies and were removed from the store if the developers failed to respond promptly. The developers of some apps removed the library containing Goldoson to make the app safe to use.

The chances of Goldoson still lurking in third-party Android app stores are high. Infected users may notice their devices heating up, battery draining very fast, and unusually high data usage even when the device is not working.


Goldoson is a new Android malware that has infiltrated Google Play via 60 legitimate apps with over 100 million downloads. It collects sensitive data and carries out ad fraud automatically without users’ consent by clicking ads in the background, generating revenue for the malware’s operators. Infected users can remediate the risk by applying the latest available update. However, Goldoson may still be active in third-party Android app stores, where the risk is higher. As always, users should exercise caution when downloading apps and ensure they use reputable app stores to avoid malware infections.