Goldoson¶
Goldoson is a malicious advertising SDK discovered embedded in 60+ legitimate applications with over 100 million cumulative downloads on Google Play and Korea's ONE store. McAfee published the discovery in April 2023, documenting a supply chain compromise where app developers unknowingly included a third-party SDK containing data collection and ad click fraud capabilities. The SDK collected installed app lists, Wi-Fi and Bluetooth device information, and GPS location while performing background ad click fraud.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2023 (discovery) |
| Last Seen | 2023 (remediated after disclosure) |
| Status | Remediated, apps updated or removed |
| Type | Malicious SDK, adware, data harvester |
| Attribution | Unknown SDK developer |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| McAfee | Android/Goldoson |
| Kaspersky | not-a-virus:HEUR:AdWare.AndroidOS.Goldoson |
| AhnLab | PUP/Android.Goldoson |
Origin and Lineage¶
Goldoson is not a standalone malware family but a malicious SDK distributed through a third-party advertising library. The compromise follows the same supply chain attack pattern as Necro (Coral SDK) and Triada (firmware-level), though at the SDK/library level rather than the system level. Developers integrating the SDK into their apps were likely unaware of its data collection and ad fraud capabilities.
Distribution¶
Goldoson reached users through legitimate apps on two major Korean app stores:
| Platform | App Count | Combined Downloads |
|---|---|---|
| Google Play | 60+ apps | 100M+ |
| ONE Store (Korea) | 8+ apps | Additional millions |
Affected apps included popular Korean utility, entertainment, and lifestyle applications. The developers were victims of the supply chain compromise, not participants.
Remediation¶
After McAfee's disclosure:
- Google removed non-compliant apps from Play Store
- Developers who updated their apps to remove the Goldoson SDK had apps reinstated
- ONE store conducted a parallel review and cleanup
Capabilities¶
| Capability | Description |
|---|---|
| Installed app inventory | Collects list of all installed applications |
| Wi-Fi device scanning | Records nearby Wi-Fi access points and connected devices |
| Bluetooth device scanning | Records nearby Bluetooth devices |
| GPS location tracking | Periodic location collection |
| Background ad clicking | Loads and clicks ads in hidden WebViews |
| Device fingerprinting | Hardware identifiers, OS version, build information |
Data Collection¶
The SDK operated on a schedule, periodically collecting and uploading device data:
- Every 2 days: installed app list, location, Wi-Fi/Bluetooth scan results
- Continuous: background ad click fraud for revenue generation
- Data uploaded to a remote server controlled by the SDK developer
Ad Click Fraud¶
Goldoson loaded advertising URLs in hidden WebViews and simulated clicks on ads without user visibility. This generated fraudulent advertising revenue for the SDK operators at the expense of advertisers and users' battery and data.
Technical Details¶
SDK Integration¶
Many affected apps were games built with Unity or native Java, where the Goldoson SDK was embedded alongside legitimate advertising libraries. The SDK was distributed as a standard advertising library. Developers added it to their projects expecting legitimate ad functionality:
- Standard Android library (.aar) format
- Registered as a content provider for auto-initialization
- Minimal visible API surface for ad display
- Hidden data collection and click fraud modules activated in background
Remote Configuration¶
The SDK's behavior was controlled by a remote configuration server:
| Parameter | Function |
|---|---|
| Collection interval | How frequently device data is harvested |
| Ad URLs | Which ads to load and click |
| Feature flags | Enable/disable specific collection capabilities |
| Target packages | Which installed apps to report |
This remote configuration allowed the operator to adjust behavior, potentially activating or deactivating data collection to evade detection during security reviews.
Target Regions¶
| Region | Details |
|---|---|
| South Korea | Primary target, ONE store presence |
| Global | Google Play distribution reached worldwide |
The affected apps were primarily popular with Korean users, but their Google Play presence meant global availability. The data collection capabilities operated regardless of user location.
Notable Campaigns¶
2023, April: McAfee discovers Goldoson SDK embedded in 60+ Google Play apps with 100M+ downloads and additional apps on Korea's ONE store. McAfee coordinates disclosure with Google and app developers. Affected apps are either removed or updated to remove the malicious SDK.