Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Golduck Malware Infects Classic Android Games

Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.

Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.

The malicious code was downloaded from a “Golduck” server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.

Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.

The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.

Appthority’s security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.

By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.

“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.

The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.

Advertisement. Scroll to continue reading.

The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.

Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.

To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.

Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.

The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.

Related: Multi-Stage Android Malware Evades Google Play Detection

Related: Android Malware Exploits Recently Patched ‘Toast’ Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.