Malware

Apps with over 420 Million downloads from Google Play unveil the discovery of SpinOk spyware

Researchers discovered spyware, dubbed SpinOk, hidden in 101 Android apps with over 400 million downloads in Google Play.

The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games, including those available on Google Play.

Upon executing the module, the malware-laced SDK connects to the C2 sending back a large amount of system information about the infected device. Info sent to the C2 includes data from sensors (e.g. gyroscope, magnetometer, etc.) that allows operators to determine if the malware is running on a real device or an emulator environment. The C2 in turn sends a list of URLs to the module, which opens them in the WebView to display advertising banners.

The malicious SDK also expands the capabilities of JavaScript code executed on webpages containing ads. The researchers observed that the module adds many features to the code, including the ability to:

  • obtain the list of files in specified directories,
  • verify the presence of a specified file or a directory on the device,
  • obtain a file from the device, and
  • copy or substitute the clipboard contents.

The operators of the trojan module can use these capabilities to gather sensitive information and files from a victim’s device. An instance of this would be accessing files that are accessible to apps containing Android.Spy.SpinOk. To steal the files, threat actors only have to inject the corresponding code into the HTML page of the advertisement banner.

Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads.”

Doctor Web estimated that millions of Android device owners are at risk of becoming victims of cyber espionage, and the security firm immediately shared its findings with Google.

Below is the list of the 10 most popular apps using the Android.Spy.SpinOk trojan SDK:

  • Noizz: video editor with music (at least 100,000,000 installations),
  • Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
  • VFly: video editor&video maker (at least 50,000,000 installations),
  • MVBit – MV video status maker (at least 50,000,000 installations),
  • Biugo – video maker&video editor (at least 50,000,000 installations),
  • Crazy Drop (at least 10,000,000 installations),
  • Cashzine – Earn money reward (at least 10,000,000 installations),
  • Fizzo Novel – Reading Offline (at least 10,000,000 installations),
  • CashEM: Get Rewards (at least 5,000,000 installations),
  • Tick: watch to earn (at least 5,000,000 installations).

The full list of apps is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpinOk)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Earth Krahang APT breached tens of government organizations worldwide

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70…

1 hour ago

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

13 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

15 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

21 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

23 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

1 day ago

This website uses cookies.