Appthority discovered malicious apps on the Google Play store , which we call Golduck. Once these malware apps are launched, they download a payload APK file from “hxxp://golduck.info/” server and execute it. The payload APK file contains code that downloads additional application files, installs them with system permissions, invokes various methods using Java reflection, and sends SMS text messages, all without the user’s knowledge.
Impact: Since the malicious apps are high quality classic games, up to 10.5 million individual users are affected. Moreover, 8% of Appthority enterprises contain Golduck malware in their environment. Appthority has informed Google Play about the malware.
Risk Score: 8
- Be aware of unusual activities on your mobile devices, such as the device being rooted without the user’s intent, or SMS charges from unknown sources
- Do not install apps from unknown developers and unofficial app stores
- Uninstall the apps listed below from any devices:
|Application Name||Package||File Hash|
|Classic Block Puzzle||com.superbrick.topfreegame.blockpuzzleplus||8eb382ccdeea939e4b004f212aa2a375|
|Classic Tank vs Super Bomber||com.classic.game.tankvsbomber||540a68ba6da2bf3b10c3ae3efb3b8f14|
For Appthority Customers:
Appthority customers are already protected.
- Detect infected devices via “MTT App Threat Blacklist” Threat Indicator.
- Inform employees who have malicious apps installed on their devices and take remediation action, such as requesting users uninstall the malware.
- Educate IT security admins to be wary of apps with all of the following suspicious behaviours:
- Detects if Device is Rooted/Jailbroken
- Performs Direct System Calls
- Performs Dynamic Symbol Lookups
- Loads Native Libraries
- Educate employees to report unusual activities on mobile devices, such as the device being rooted without their intent (use the “Device is Rooted/Jailbroken” Threat Indicator), or unusual SMS charges from unknown sources.