Apps with over 420 Million downloads from Google Play unveil the discovery of SpinOk spyware

Researchers discovered spyware, dubbed SpinOk, hidden in 101 Android apps with over 400 million downloads in Google Play.

The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games, including those available on Google Play.

Upon executing the module, the malware-laced SDK connects to the C2 sending back a large amount of system information about the infected device. Info sent to the C2 includes data from sensors (e.g. gyroscope, magnetometer, etc.) that allows operators to determine if the malware is running on a real device or an emulator environment. The C2 in turn sends a list of URLs to the module, which opens them in the WebView to display advertising banners.

The malicious SDK also expands the capabilities of JavaScript code executed on webpages containing ads. The researchers observed that the module adds many features to the code, including the ability to:

• obtain the list of files in specified directories,
• verify the presence of a specified file or a directory on the device,
• obtain a file from the device, and
• copy or substitute the clipboard contents.

The operators of the trojan module can use these capabilities to gather sensitive information and files from a victim’s device. An instance of this would be accessing files that are accessible to apps containing Android.Spy.SpinOk. To steal the files, threat actors only have to inject the corresponding code into the HTML page of the advertisement banner.

Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads.”

Doctor Web estimated that millions of Android device owners are at risk of becoming victims of cyber espionage, and the security firm immediately shared its findings with Google.

Below is the list of the 10 most popular apps using the Android.Spy.SpinOk trojan SDK:

• Noizz: video editor with music (at least 100,000,000 installations),
• Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
• VFly: video editor&video maker (at least 50,000,000 installations),
• MVBit – MV video status maker (at least 50,000,000 installations),
• Biugo – video maker&video editor (at least 50,000,000 installations),
• Crazy Drop (at least 10,000,000 installations),
• Cashzine – Earn money reward (at least 10,000,000 installations),
• Fizzo Novel – Reading Offline (at least 10,000,000 installations),
• CashEM: Get Rewards (at least 5,000,000 installations),
• Tick: watch to earn (at least 5,000,000 installations).

The full list of apps is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpinOk)