Golduck Malware Infects Classic Android Games

Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.

The malicious code was downloaded from a “Golduck” server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.

Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.

The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.

Appthority’s security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.

By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.

“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.

The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.

The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.

Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.

To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.

Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.

The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.

Related: Multi-Stage Android Malware Evades Google Play Detection

Related: Android Malware Exploits Recently Patched ‘Toast’ Flaw