Golduck Malware Detected in Popular Android Games

Cybersecurity experts from Appthority have discovered the Golduck malware in several popular Android games, allowing attackers to execute arbitrary commands and send SMS messages from infected devices. The affected apps download malicious code from the Golduck server and install it using a technique called Java Reflection.

Which Games Were Infected?

According to the researchers, the malicious apps were well-made classic games such as Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. These games had high ratings in the Google Play Store and were downloaded approximately 10.5 million times.

How the Malware Works

An additional malicious APK file was downloaded from hxxp://golduck.info/pluginapk/gp.apk. Inside this file, researchers found three folders with seemingly legitimate names: google.android, startapp.android.unity.ads, and unity.ads. Upon analyzing the contents, experts discovered hidden code (PackageUtils.class) designed to silently install apps using system permissions.

The researchers noted that the malicious apps appear to be in the early stages of development, as their code is not obfuscated. The downloaded payload also includes code to send SMS messages to numbers from the user’s contact list. These messages contain information about the game, potentially increasing the chances of the malware spreading further.

Potential Impact

Experts explained that Golduck allows attackers to fully compromise an infected device, especially if it has superuser (root) access enabled.

Response and Recommendations

The researchers notified Google about their findings on November 20, 2017. All malicious apps have since been removed from the Google Play Store.

Users are strongly advised to delete Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber from their devices as soon as possible.