The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games, including those available on Google Play.
Upon executing the module, the malware-laced SDK connects to the C2 sending back a large amount of system information about the infected device. Info sent to the C2 includes data from sensors (e.g. gyroscope, magnetometer, etc.) that allows operators to determine if the malware is running on a real device or an emulator environment. The C2 in turn sends a list of URLs to the module, which opens them in the WebView to display advertising banners.
The malicious SDK also expands the capabilities of JavaScript code executed on webpages containing ads. The researchers observed that the module adds many features to the code, including the ability to:
The operators of the trojan module can use these capabilities to gather sensitive information and files from a victim’s device. An instance of this would be accessing files that are accessible to apps containing Android.Spy.SpinOk. To steal the files, threat actors only have to inject the corresponding code into the HTML page of the advertisement banner.
Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads.”
Doctor Web estimated that millions of Android device owners are at risk of becoming victims of cyber espionage, and the security firm immediately shared its findings with Google.
Below is the list of the 10 most popular apps using the Android.Spy.SpinOk trojan SDK:
The full list of apps is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SpinOk)