Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.
The malicious code was downloaded from a “Golduck” server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.
Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.
The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.
Appthority’s security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.
By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.
“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.
The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.
The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.
Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.
To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.
Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.
The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.
Related: Multi-Stage Android Malware Evades Google Play Detection
Related: Android Malware Exploits Recently Patched ‘Toast’ Flaw

More from Ionut Arghire
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Tor Network Under DDoS Pressure for 7 Months
- Russian Admits in US Court to Laundering Money for Ryuk Ransomware Gang
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- Vulnerability Provided Access to Toyota Supplier Management Network
- Linux Variant of Cl0p Ransomware Emerges
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
