mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

Appthority found several classic game apps from the Google Play store which, once installed on your device, silently download an extra APK file with malicious code from hxxp://golduck.info/pluginapk/gp.apk. The downloaded APK file, also known as a “payload”, contains code related to downloading additional apps from the Golduck server, silently installing these apps, using a technique called “Java reflection”, running shell commands, and sending SMSes.

The malicious apps are high quality classic games, such as Tank and Bomber. Thus, they are rated well on the Google Play store and up to 10.5 millions users are affected.

First, the original game apps load the malicious code from the gp.apk file via the /system/bin/dex2oat command. The loaded gp.apk file contains 3 folders with seemly benign names, such as “google.android”, “startapp.android.unity.ads” and “unity.ads”. However, the malicious code is present under “google.android”, which is designed to hide the true function of the code by making it appear legitimate.

For instance, the “PackageUtils.class” contains the following code, which silently installs apps using system permissions. These malicious apps seem to be at their initial stage and the code is not obfuscated.

The payload also contains code for sending SMS messages to users’ contacts with game information, increasing the potential of spreading the malware to other users.

Golduck malware may lead to complete device compromise, especially if the device is already rooted, as well as other adware-related attacks. These apps are present in 8% of Appthority’s enterprise customers. (Appthority’s Mobile Threat Protection solution has already informed them and helped remediate the threat from their enterprise environments).

Although most Android malware comes from un-official, 3rd party app stores, two Golduck infected apps were found in the Google Play store. Appthority informed Google on 27 Nov 2017 and thanks to the Android Security team’s quick action, the Golduck apps have been taken down.

Protecting Devices from Golduck

  • Be aware of unusual activities on your mobile devices, such as the device being rooted without the user’s intent, or SMS charges from unknown sources
  • Do not install apps from unknown developers and unofficial app stores
  • Uninstall the apps listed below from any devices
Application Name Package File Hash
Classic Block Puzzle com.superbrick.topfreegame.blockpuzzleplus 8eb382ccdeea939e4b004f212aa2a375
Classic Bomber com.anzgames.classicbomber bc716915102c0223fed2dbaaa1af2efd
Classic Tank vs Super Bomber com.classic.game.tankvsbomber 540a68ba6da2bf3b10c3ae3efb3b8f14

 

Back