A recent discovery by security researchers at Dr. Web has unveiled a new Android malware known as ‘SpinOk,’ which has been distributed through advertisement SDKs embedded in various apps. What’s concerning is that many of these apps were previously available on Google Play and had collectively garnered over 400 million downloads.
SpinOk, classified as spyware, poses a serious threat as it has the capability to pilfer private data stored on users’ devices and transmit it to a remote server. To entice users, the malware employs a seemingly legitimate approach, employing minigames that promise “daily rewards” to capture user attention and engagement.
At a superficial level, the SpinOk module functions to sustain user interest in the associated apps by employing a combination of minigames, task systems, and the lure of prizes and rewards. However, beneath this facade lies the Trojan SDK, which stealthily operates in the background. It checks the Android device’s sensor data, such as the gyroscope and magnetometer, to ensure that it is not running within a sandboxed environment. Such environments are commonly used by researchers for analyzing potentially malicious Android applications.
Once confirmed that it is not being scrutinized within a sandboxed environment, the app establishes a connection with a remote server, subsequently downloading a list of URLs. These URLs are then utilized to present the expected minigames to users.
The discovery of SpinOk raises significant concerns about the security and privacy of Android users, particularly considering the substantial number of downloads these infected apps have accumulated. It underscores the importance of robust security measures and emphasizes the need for users to exercise caution when installing apps, even from seemingly reputable sources such as Google Play.
While users of the affected apps are presented with the expected minigames, it has been discovered by Dr. Web that the embedded SDK possesses additional malicious capabilities operating in the background. These functionalities include the ability to list files within directories, search for specific files, upload files from the user’s device, and manipulate clipboard contents.
The file exfiltration feature is particularly alarming as it puts private images, videos, and documents at risk of exposure. Furthermore, the SDK’s clipboard modification code enables the operators to pilfer account passwords, credit card details, and even intercept cryptocurrency payments, redirecting them to their own crypto wallet addresses.
Dr. Web’s findings have identified this nefarious SDK in a total of 101 apps, which collectively amassed an astonishing 421,290,300 downloads from Google Play. These figures highlight the significant scale of the potential risk posed by this Android malware and the urgent need for users to remain vigilant and take necessary precautions to protect their personal data. The most downloaded apps associated with this threat are listed below.
- Noizz: video editor with music (100,000,000 downloads)
- Zapya – File Transfer, Share (100,000,000 downloads; Dr. Web says the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
- VFly: video editor&video maker (50,000,000 downloads)
- MVBit – MV video status maker (50,000,000 downloads)
- Biugo – video maker&video editor (50,000,000 downloads)
- Crazy Drop (10,000,000 downloads)
- Cashzine – Earn money reward (10,000,000 downloads)
- Fizzo Novel – Reading Offline (10,000,000 downloads)
- CashEM: Get Rewards (5,000,000 downloads)
- Tick: watch to earn (5,000,000 downloads)
With the exception of one app, all the mentioned apps have been taken down from Google Play, suggesting that Google promptly responded to reports regarding the presence of the malicious SDK and temporarily removed the affected apps until the developers could provide a clean version.
For a comprehensive list of the apps identified as utilizing the SDK, you can visit Dr. Web’s website. The exact nature of the involvement of the app publishers in incorporating the trojanized SDK remains uncertain. It is unclear whether they were deceived by the SDK’s distributor or knowingly included it in their code. Typically, such infections occur as a result of a supply-chain attack originating from a third party.
If you happen to use any of the apps listed above, it is crucial to update to the latest version available through Google Play, as it should be free of any malicious components. However, if the app is no longer available on the official Android app store, it is highly recommended to uninstall it immediately and perform a thorough device scan using a reputable mobile antivirus tool. This step is essential to ensure the complete removal of any spyware remnants that may have been left behind. Taking these precautions will help safeguard your device and protect your sensitive information.
