What is Goldoson malware

It was identified by McAfee that 60 legitimate apps (in Google Play and South Korea’s ONE Store) have been infiltrated with a malicious library identified as “Goldoson“. Please note that the apps themselves are fully legitimate and were not meant to be malicious by their developers. It is the third-party library, to which these apps were connected and which suddenly got injected with Goldoson malware. The downloads for these apps range from 1 million to even 10 million downloads, meaning a lot of innocent users have become victims of this malicious library. The malware itself is capable of collecting sensitive data from installed apps, Wi-Fi/Bluetooth-connected devices, and the user’s GPS location as well. In addition, it was discovered that Goldoson malware can stealthily click on advertisements in the background with a special HTML code. This, therefore, helps cybercriminals generate additional revenue from infected users. Although this malware does not have as disruptive capabilities as banking trojans, it is still enough to put users’ safety and privacy at risk. Luckily, a number of applications from Google Play have removed the malicious library and are safe to use after installing the latest update. Some, unfortunately, did not do it in time and are no longer available in Google Play.

goldoson malware

These apps must be uninstalled permanently. Here is a full list of applications that removed the malicious library and those that did not. These apps removed the malicious library in the new update and pose no danger to users. Users can update or reinstall them from scratch and continue using the safely:

GOM Audio Plus – Music, Sync l
GOM Audio – Music, Sync lyrics
GOM Player
Korea Subway Info : Metroid
L.POINT with L.PAY
LIVE Score, Real-Time Score
LOTTE WORLD Magicpass
Money Manager (Remove Ads)
Money Manager Expense & Budget
TMAP – 대리,주차,전기차 충전,킥보
곰TV – All About Video
나홀로 노래방–쉽게 찾아 이용하는
롯데 워터파크
롯데시네마
롯데월드 아쿠아리움
롯데월드타워 서울스카이
매표소–뮤지컬문화공연 예매&
숫자 뽑기
씨네큐브
이상형 월드컵
작은영화관
전역일 계산기 디데이 곰신톡–군인
지니뮤직 – genie
컬쳐랜드[컬쳐캐쉬] 컬쳐플러스:컬쳐랜드 혜택 더하기
클라우드런처
해피스크린 – 해피포인트를 모으
Show more
Show less

Thes apps did not remove the vulnerability in time and were removed from Google Play. Users who still have these applications installed are strongly recommended to remove them from their devices:


Bounce Brick Breaker
CU편의점택배
Compass 9: Smart Compass
GOODTV다번역성경찬송
Infinite Slice
InfinitySolitaire
Inssaticon – Cute Emoticons, K
Pikicast
Snake Ball Lover
SomNote – Beautiful note app
Swipe Brick Breaker
Swipe Brick Breaker 2
T map for KT, LGU+
TDI News – 최초 데이터 뉴스 앱
TNT
UBhind: Mobile Tracker Manager
게토(geto) – PC방 게이머 필수 앱
기억메모 – 심플해서 더 좋은 메모장
노티아이 for 소상공인
눈팅 – 여자들의 커뮤니티
로더(Loader) – 효과음 다운로드 앱
메가박스(Megabox)
베스트케어–위험한 전자기장,
불러봄내 – 춘천시민을 위한 공공
스마트 녹음기 : 음성 녹음기
스피드 운전면허 필기시험
아이템매니아 – 게임 아이템 거래
안심해 : 안심지도
안심해 – 안심귀가 프로젝트
연하구곡
창문닫아요(미세/초미세먼지/WHO
츄스틱 : 크리샤츄 Fantastic
캣메라 [순정 무음카메라] 팅서치 TingSearch
판타홀릭 – 아이돌 SNS 앱
풀빵 : 광고 없는 유튜브 영상
Show more
Show less

Feel free to follow our guide below in order to remove the application completely without traces. We will also show you general instructions on how to detect Android infections and deal with them respectively.

How Goldoson malware infected your computer

As mentioned, Goldoson was found in a third-party library that was used by approximately 60 apps available in Google Play and South Korea’s ONE Store. These apps are fully legitimate and were not designed to pose a danger to users. Unfortunately, their vulnerability got abused by threat actors, which allowed them to sneak a piece of malware into smartphones where those apps were installed. While such things are rare, they can happen to any of us. Thus, it is not directly your fault that the legitimate apps were connected to a library that later on turned out malicious. Although Google Play is supposed to be a safe haven for downloading any application you like, the reality looks slightly different and some malware makes its way onto the platform from time to time. While Google detects and takes diligent care of malicious apps in the shortest time possible, many users still end up infected and become victims of some kind of malware. Sometimes cybercriminals manage to upload intentionally malicious apps that act as droppers for installing banking trojans. In other cases, users may also be tricked into downloading malware through phishing SMS messages, pop-ups, dubious ads, malicious websites that host Android APK files, and other channels as well. To minimize the chances of malware infection, it is important to download verified and preferably time-tested software only from trustworthy and verified resources, such as Google Play.

1. Download Anti-malware software

Download Norton Security

The best and most effective way to detect and remove malicious software is to use a specially designed program like antivirus. High-quality and trusted anti-malware software wields constantly updating databases of malware to find it and neutralize quickly. Manual removal may not be as effective as using anti-malware software. The virus may show reluctance to the deletion or otherwise leave redundant traces. Our strong recommendation is Norton Security which has been providing thorough protection and removal of various threats across smartphone operating systems. You can download it from Google Play for Android and run malware removal for free.

2. Manual removal

If you do not have any of the above-listed applications installed, but still experience the same symptoms of Goldoson malware, use these instructions to find the culprit. There are two traditional ways to do it. Both include checking the amount of battery and data resources demanded by the app. If there is a malicious program installed on your device, you will see excessively high resource demand by the malware. The steps listed below are similar on all Android-based smartphones.

To check Battery resources:

  1. Find and open Settings on your device.
  2. Among the list of settings, choose Battery.
  3. Then tap on Battery Usage and check which application consumes the most (on top of the list).

To check data usage:

  1. Open Settings as we did above.
  2. Then choose something related to the network. Usually, it is called Connections.
  3. Find and tap on Data Usage or similar. On some devices, you will see the overall usage of traffic immediately. If not, you have to choose WiFi and Mobile data usage separately.

After identifying which app causes the most resource consumption, you can navigate to Settings > Applications, find and delete the application you found. Before doing so, it higly-recommended to remove Administrative Privileges for the malicious app:

  1. Go to Settings and find the Lock Screen and Security configuration.
  2. Most smartphones have Advanced or Other security settings to open.
  3. Then you should select something called Device Admin Apps.
  4. Once done, find the malicious application you found before and Deactivate it.

If you are still unable to delete the stubborn app, we advise you to do it in Safe Mode. It ensures your smartphone is launched using only in-built and native features, which helps work around restrictions imposed by malicious software. Of course, Goldoson malware could block it as long as it has privileged rights, but still, give it a try if you have not done it yet. Here is how:

  1. Push and hold the Power button until it opens the list of reboot options.
  2. Then tap on and hold the Power off icon for a couple of seconds.
  3. A new message will pop asking to boot in Safe Mode.
  4. Confirm it and boot up your smartphone to affect the above steps in Safe Mode.

Once the deletion steps have been performed, you should no longer encounter the symptoms of the malicious Goldoson malware. We recommend you scout the list of installed applications for other suspicious presence that you do not remember installing. There is a chance Goldoson malware could install it upon.

3. Reset browser settings

After removing the application completely, it is important to clear your browser from malicious settings that could be installed by Goldoson malware. You will have to perform a couple of steps comprising full restoration of browser settings. Besides infecting your device, the virus could also crawl into your browser to impose various changes. For instance, content like push notifications and other types of banners popping right on the screen might come from your browser. You can run a step-by-step cleaning for each browser segment (browsing history, push-notifications, permissions. etc.) to remove any malware traces. However, rolling browser configuration back to factory settings is better because it wipes out everything accumulated inside of a browser making sure no unwanted content dwells around your smartphone. We will show you both step-by-step clean-ups and full factory reset for the most popular browsers including Google Chrome, Mozilla Firefox, and Opera.

Google Chrome:

At first, let’s clear browsing data.

  1. Open Chrome browser and tap on Menu (3-dot icon in the top right corner).
  2. Then go to History and choose Clear browsing data….
  3. In the Advanced tab check all boxes and tap Clear data.

Then, we should disable push notifications.

  1. Open the same Menu and choose Settings.
  2. Then find and open Site Settings.
  3. Scroll down a bit until you find Notifications.
  4. Locate websites under Allowed, tap on them, and choose Clear & Reset.
  5. You can also disable the Notifications feature to prevent websites from asking for permission completely.

As mentioned, you can also reset your browser to default settings so that you have it from scratch. This means that all of the data stored within the browser will be deleted and rolled back to the default configuration. Since we are dealing with malicious behavior, it is good to perform such steps to make sure nothing harmful persists inside of your browser. It is more robust and quicker than running each step like above.

  1. Find and open Settings on your screen.
  2. Go to Applications and search for Chrome.
  3. Once found, tap on it and navigate to Storage > Manage Storage.
  4. Finally, tap on Clear All Data and wait until the process is done.

Mozilla Firefox:

The process looks almost identical, only slightly different in the names of the steps. Nevertheless, we will show you how it looks like on Firefox as well. To clear browsing data:

  1. Open Firefox and navigate to Menu likewise in Chrome.
  2. Choose History and tap on Clear private data.
  3. Select all of the entries and tap Clear Data.

To disable push notifications, follow these steps.

  1. Open Firefox again.
  2. Open Menu (either on top or below) and choose Settings.
  3. Then, go to Site permissions > Notification.
  4. Choose Blocked to not see notifications at all.

Up next is resetting browsing settings completely. To do this, simply follow all of the steps mentioned for Chrome above.

Opera:

Clearing browsing data in Opera looks like this:

  1. Open Opera and tap on the browser logo below on the right.
  2. Choose Settings, scroll down the list, and tap on Clear browsing data….
  3. Click Advanced, check all of the boxes listed, and choose Clear Data.

In order to disable notifications in Opera:

  1. Open Opera and tap on the browser logo below on the right.
  2. Choose Settings and scroll down until you find Site Settings.
  3. Click on it and choose Notifications.
  4. Tap Block to remove all Notification permission.

Performing full Opera reset equals to what we mentioned in instructions for Chrome.

4. Perform a Factory Reset

If you continue to stumble upon weird smartphone behavior and suspect the virus is not deleted, the best solution is resetting the device itself. This step will remove all the data stored on your system and roll all configuration settings back to the default state. In other words, you will reinstall your system from scratch. This will delete the virus and clean your smartphone from other unnecessary stuff in case you have not cleaned it for a very long time. Before doing so, make sure there is no important data to lose. It is also worth jotting the names of Google accounts and other services because most people tend to forget them throughout their usage. After performing the Factory Reset, you will have to log in to all of your user accounts once more. Now you are ready to dive into resetting your device.

  1. Open Settings and go to About phone.
  2. Right there, you will see information about Android and UI versions, your CPU, RAM, Memory, and more.
  3. Somewhere at the bottom, you will see the Reset button. Click on it and choose Factory Reset to erase all data and get your smartphone back to default settings.
  4. Agree with everything promoted and wait until your device completes the reset. It might take 30 minutes or close.
  5. Also, if you do not have the same location of settings and unable to find some of these steps, you can type Reset being in Settings and open it up.

In fact, you can find any setting you need using the search. It is our responsibility to provide detailed instructions so you have a full picture of the entire process.

Summary

We hope the instructions above were helpful, and you were able to eliminate all traces of Goldoson malware from your Android device and secure it. The provided tutorial is general and based on common malware detection and removal techniques. If you have any questions or additional information on the topic, please, share your thoughts in the comment section below.

Previous articleHow to remove Recov Ransomware and decrypt .recov files
Next articleHow to fix “ffmpeg.dll was not found” error
James Kramer
James Kramer
https://www.bugsfighter.com
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here
Facebook Twitter Youtube