60 Android apps with 100 million installs contain malware — delete them right now

One phone with skull and crossbones on screen among several other clean-looking phones.
(Image credit: Marcos_Silva/Shutterstock)

Even the Google Play Store isn’t always safe as 60 Android apps with 100 million downloads combined were found to be spreading a new malware strain to unsuspecting users.

According to a new blog post from the cybersecurity firm McAfee, a new Android malware named Goldoson that collects data on a user’s installed apps, their Wi-Fi and Bluetooth-connected devices and even their location has been found lurking in 60 apps on the Play Store. The reason all of these legitimate apps became infected with malware in the first place is due to the fact that they all use the same third-party library.

Besides collecting a wealth of personal information, apps infected with the Goldoson malware can also perform ad fraud by clicking on ads in the background. Not only can this drain your smartphone’s battery but it could also put you at risk of having even more of your data collected by ad firms and data brokers.

Delete these apps right now

As McAfee is an App Defense Alliance member alongside ESET, Lookout and Zimperium, its researchers immediately informed Google following their discovery. 

The developers of the malware-infected apps were then informed, and while many removed the library spreading the Goldoson malware in the first place, those that did not had their apps taken down from the Play Store. However, if any of these apps are installed on your smartphone, you’ll need to remove them manually to stay safe. Likewise, the malware-infected versions of these apps could still be available on third-party app stores.

Here are just a few of the 60 apps that were found to be spreading the Goldoson malware and you can find the full list in McAfee’s blog post on the matter: 

  • L.POINT with L.Pay - 10 million downloads
  • Swipe Brick Breaker - 10 million downloads
  • Money Manager Expense & Budget - 10 million downloads
  • TMAP - 10 million downloads
  • GOM Player - 5 million downloads
  • Megabox - 5 million downloads
  • LIVE Score, Real-Time Score - 5 million downloads
  • Pikicast - 5 million downloads
  • Compass 9: Smart Compass - 1 million downloads
  • GOM Audio - Music, Sync lyrics - 1 million downloads
  • LOTTE World Magicpass - 1 million downloads

Harvesting data from unsuspecting Android users

Hand holding smartphone with glowing green text floating around it

(Image credit: Shutterstock)

When an Android user launches a malware-infected app containing Goldoson, the device is registered and receives configuration from a remote server controlled by the cybercriminals behind this campaign, according to BleepingComputer.

From here, Goldoson’s data-stealing and ad-clicking functions are configured along with how often they should run on an infected device. Normally, the data collection function activates every two days and a list of installed apps, location history, MAC addresses of devices connected over Bluetooth and Wi-Fi along with other data is sent back to the cybercriminals.

The amount of data collected on each user varies though as it depends on the permissions a user granted an infected app during installation. The best Android phones running Android 11 or higher are better protected against this arbitrary data collection, but as McAfee notes, even recent versions of the operating system like Android 13 still have enough permission to gather sensitive data in 10% of the apps infected with the Goldoson malware.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

At the time of writing, most of the apps on McAfee’s list have removed the third-party library used to infect them with the Goldoson malware. The ones that haven’t have been temporarily taken down from the Play Store.

Still though, if you have any of the apps in question installed on your smartphone, it’s still a good idea to remove them for the time being. Once enough time has passed and the apps have been fixed in an update, then you can reinstall them but you should still be cautious.

One of the easiest ways to stay safe from malicious apps and Android malware in general is to limit the number of apps installed on your smartphone. Instead of just installing any popular app, you should instead pick and choose and only have the most essential apps running on your smartphone.

Installing one of the best Android antivirus apps can help keep you safe from Android malware. At the same time though, you should also ensure that Google Play Protect is enabled on your smartphone as it scans both your existing apps and any new apps you download for malware.

Unlike the other malicious apps we’ve covered in the past, this time around it was the use of a third-party library that led to legitimate apps being infected with malware. This is why you need to be careful when installing any app on your Android smartphone.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.