Security News

A new Android malware named 'Goldoson' has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps.

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine.

Google has released an emergency Chrome security update to address the first zero-day vulnerability exploited in attacks since the start of the year. This update was immediately available when BleepingComputer checked for new updates from the Chrome menu > Help > About Google Chrome.

Google on Thursday outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation. Mitigating such risks requires addressing the root cause of the vulnerabilities and prioritizing modern secure software development practices to eliminate entire classes of threats and block potential attack avenues.

The security researchers found that Google Play threats and Android phone infections are big business. A Google Play developer account can be bought for around $60-$200 USD depending on account characteristics such as the number of developed apps or the number of downloads.

Google has announced the Google Cloud Assured Open Source Software service, which aims to be a trusted source of secure open source packages, and the deps. With Assured OSS, Google offers organizations the opportunity to integrate into their own developer workflows the same OSS packages Google uses and secures.

Open source software and software supply chain security risks continue to be a primary concern for developers and organizations. According to a 2022 study by electronic design and automation company Synopsys, 84% of open source software codebases contained at least one known vulnerability - a nearly 4% increase from last year - and 48% contained a high-risk vulnerability.

Malware developers have created a thriving market promising to add malicious Android apps to Google Play for $2,000 to $20,000, depending on the type of malicious behavior cyber criminals request. The exact price for these services is negotiated on a case-by-case basis on hacker forums or Telegram channels, allowing cybercriminals to customize malicious Android apps with their own malware or functionality.

"The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps," Kaspersky said in a new report based on messages posted on online forums between 2019 and 2023. Dropper apps are the primary means for threat actors looking to sneak malware via the Google Play Store.

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. Before cybercriminals can share their malicious apps from Google's official store, they'll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each.