100 million Google downloads infected.

Apr 19 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Elon Musk to cybercrime’s “government-funded/backed” official Twitter page ???? Elon Musk: They see me trollin’, they hatin’ ???? #BBC #CBC

Today’s hottest cyber security stories:

  • 100 million Google downloads infected… Move over, corona!
  • ‘SimpleHelp’ yourself to our data, Iranian hackers ????
  • YouTube vids spread Aurora info stealer via ‘highly evasive loader’


Masks won’t save you from this infection (or any other… ???? JK!). It’s quite a feat, isn’t it? 100 million downloads infected before anybody twigged. But what happened, exactly?

Well, apparently, there’s a new Android malware strain causing some trouble in the Google Play Store. It goes by the name Goldoson, which kinda sounds like a fancy name for a goldfish or something.

Anyway, this sneaky little bugger has managed to infect over 60 legit apps that have been downloaded by over 100 million users! And get this, it’s also been tracked on ONE store in South Korea with an additional 8 million instals. Talk about a popular virus!

Now, what does this malware do, you ask? Well, it’s basically a spy that can gather all sorts of info from your phone, like what apps you have installed, what devices you’re connected to via Wi-Fi or Bluetooth, and even your GPS location. And if that wasn’t bad enough, it can also click on ads in the background without your permission, which is just plain rude.

But wait, there’s more! Goldoson is like a ninja when it comes to loading web pages. It can do it all stealthily, which could be used to load ads and make some serious cash. How does it do this, you ask? By loading HTML code in a hidden WebView and driving traffic to the URLs. Impressive, but also very naughty.

Luckily, some responsible folks at McAfee discovered this malware and told Google about it. So, they’ve pulled 36 of the 63 offending apps from the Google Play Store and updated the remaining 27 to remove the malicious library. Phew, crisis averted…for now. Moral of the story, folks, always be on the lookout for sneaky malware, even if it has a fancy name like Goldoson.


I know what you’re thinking. Muddy Waters, how could you? Not a blues fan, huh? Seriously, look up Muddy Waters – The Rolling Stones got their start by covering Muddy Waters’ tunes, for god sake!

But nah, we’re talking about a different MuddyWater. And it looks like this MuddyWater (the mischievous Iranian troublemaker!), is up to its old tricks, once again.

Rather than relying on shady tactics, they’ve opted for a more legit approach: using remote administration tools to hijack systems.

“SimplyHelp”, my ass!

They’ve tried their hand at ScreenConnect, RemoteUtilities, and Syncro before, but according to Group-IB, they’ve added a new tool to their arsenal: the SimpleHelp remote support software, which they used in June 2022.

MuddyWater has been causing chaos since 2017, and it’s believed that they’re backed by Iran’s Ministry of Intelligence and Security (MOIS).

They’ve got their sights set on a variety of countries, including Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan.

What do the experts say?

“MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices,” Nikita Rostovtsev, senior threat analyst at Group-IB, said.

“SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the official website and use it in their attacks.”

Is nothing sacred?!


Some cybersecurity researchers have uncovered a sneaky little loader called “in2al5d p3in4er” (or as I like to call it: “invalid printer”) that’s being used to deliver a nasty malware called Aurora. And let me tell you, this thing is a real piece of work.

According to the folks at Morphisec, this loader is built with some fancy-sounding software called Embarcadero RAD Studio, and it’s got some seriously advanced anti-VM tricks up its sleeve. In other words, it’s really good at hiding from the good guys.

But wait, it gets better (or worse, depending on your perspective!). Aurora is apparently a Go-based information stealer that’s been making the rounds since late 2022. And get this: it’s being offered up to other bad actors like it’s some kind of malware buffet.

All they have to do is click on some shady YouTube links or fake software download sites, and voila! They’ve got themselves a brand new malware to play with.

So, if you’re ever tempted to click on one of those ‘too good to be true’ links, just remember: you might end up with a lot more than you bargained for.

Stay safe out there, folks!

So long and thanks for reading all the phish!

Recent articles