Appthority found several classic game apps from the Google Play store which, once installed on your device, silently download an extra APK file with malicious code from hxxp://golduck.info/pluginapk/gp.apk. The downloaded APK file, also known as a “payload”, contains code related to downloading additional apps from the Golduck server, silently installing these apps, using a technique called “Java reflection”, running shell commands, and sending SMSes.
The malicious apps are high quality classic games, such as Tank and Bomber. Thus, they are rated well on the Google Play store and up to 10.5 millions users are affected.
First, the original game apps load the malicious code from the gp.apk file via the /system/bin/dex2oat command. The loaded gp.apk file contains 3 folders with seemly benign names, such as “google.android”, “startapp.android.unity.ads” and “unity.ads”. However, the malicious code is present under “google.android”, which is designed to hide the true function of the code by making it appear legitimate.
For instance, the “PackageUtils.class” contains the following code, which silently installs apps using system permissions. These malicious apps seem to be at their initial stage and the code is not obfuscated.
The payload also contains code for sending SMS messages to users’ contacts with game information, increasing the potential of spreading the malware to other users.
Golduck malware may lead to complete device compromise, especially if the device is already rooted, as well as other adware-related attacks. These apps are present in 8% of Appthority’s enterprise customers. (Appthority’s Mobile Threat Protection solution has already informed them and helped remediate the threat from their enterprise environments).
Although most Android malware comes from un-official, 3rd party app stores, two Golduck infected apps were found in the Google Play store. Appthority informed Google on 27 Nov 2017 and thanks to the Android Security team’s quick action, the Golduck apps have been taken down.
Protecting Devices from Golduck
- Be aware of unusual activities on your mobile devices, such as the device being rooted without the user’s intent, or SMS charges from unknown sources
- Do not install apps from unknown developers and unofficial app stores
- Uninstall the apps listed below from any devices
|Application Name||Package||File Hash|
|Classic Block Puzzle||com.superbrick.topfreegame.blockpuzzleplus||8eb382ccdeea939e4b004f212aa2a375|
|Classic Tank vs Super Bomber||com.classic.game.tankvsbomber||540a68ba6da2bf3b10c3ae3efb3b8f14|