A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.
Security researchers at Dr. Web discovered the spyware module and tracked it as 'SpinOk,' warning that it can steal private data stored on users' devices and send it to a remote server.
The antivirus company says SpinkOk demonstrates a seemingly legitimate behavior, using minigames that lead to "daily rewards" to spark user interest.
"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," explains Doctor Web's report.
In the background, though, the trojan SDK checks the Android device's sensor data (gyroscope, magnetometer) to confirm that it's not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps.
The app then connects to a remote server to download a list of URLs opened used to display expected minigames.
Source: Dr.Web
While the minigames are displayed to the apps' users as expected, Dr. Web says that in the background, the SDK is capable of additional malicious functionality, including listing files in directories, searching for particular files, uploading files from the device, or copying and replacing clipboard contents.
The file exfiltration functionality is particularly concerning as it could expose private images, videos, and documents.
In addition, the clipboard modification functionality code allows the SDK's operators to steal account passwords and credit card data, or hijack cryptocurrency payments to their own crypto wallet addresses.
Dr. Web claims this SDK was found in 101 apps that were downloaded for a cumulative total of 421,290,300 times from Google Play, with the most downloaded listed below:
- Noizz: video editor with music (100,000,000 downloads)
- Zapya – File Transfer, Share (100,000,000 downloads; Dr. Web says the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
- VFly: video editor&video maker (50,000,000 downloads)
- MVBit – MV video status maker (50,000,000 downloads)
- Biugo – video maker&video editor (50,000,000 downloads)
- Crazy Drop (10,000,000 downloads)
- Cashzine – Earn money reward (10,000,000 downloads)
- Fizzo Novel – Reading Offline (10,000,000 downloads)
- CashEM: Get Rewards (5,000,000 downloads)
- Tick: watch to earn (5,000,000 downloads)
All but one of the above apps have been removed from Google Play, indicating that Google received reports about the malicious SDK and removed the offending apps until the developers submitted a clean version.
A complete list of the apps reportedly using the SDK can be found on Dr. Web's site.
It is unclear if the publishers of the trojanized apps were deceived by the SDK's distributor or knowingly included it in their code, but these infections commonly result from a supply-chain attack from a third party.
If you use any of the apps listed above, you should update to the latest version available via Google Play, which should be clean.
If the app isn't available on Android's official app store, it is recommended to uninstall them immediately and scan your device with a mobile antivirus tool to ensure that any spyware leftovers are removed.
BleepingComputer has reached out to Google for a statement on this massive infection base, but a comment wasn't available by publication time.
Update 6/3 - A Google spokesperson has sent BleepingComputer the following comment:
The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies.
Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.
Comments
Dr. Technical - 1 year ago
What good is it to say an app is "Play Protected" by Google if malware continues to slip through into apps downloaded by users.
Google's "seal of approval" means NOTHING! They have failed to do what they say they do.
EdwinDavidson - 1 year ago
This is why I avoid Google Android. Each and every audit of it records more and more malware. Google DOES NOT CARE. The numbers keep going up. AND EVEN I CAN SPOT MALWARE GOOGLE ALLOWS WITHOUT CARING MY REPORTS OF IT, after all - who cares.
ThomasMann - 1 year ago
Google ist a billion Dollar company, the idea that their user's security is one of their top 100 interests, is something that only idiots can believe.
And the vast majority of those retarded monkeys, who run all over the place staring at the phone in their hands, are the perfect willing "victims".
These 421.000.000 are a tip of the iceberg, as it is only ONE of many malwares that make it into their beloved instruments. Without these, their ridiculous lives would not have any meaning at all....
kesso101 - 1 year ago
With most users using Android devices. Google needs to step up its game in detecting these malicious applications containing spyware. The vetting of vendors allowed to add their apps to the play store has to be tightened. I know this can be seen as a difficult thing especially considering how much they might lose should app providers/customers leave. The silver line here is most people are android users and that is not going to change anytime soon.
aztony - 1 year ago
Any user relying solely on Google Play Protect to scan their device(s) for malware is putting their device in serious jeopardy.
Mahhn - 1 year ago
It's no joke, that google playstore is by far the largest malware delivery service ever. Joke is that their AI they are using to replace employees, isn't doing a good job either. Someone needs to add some Ethics subroutines to it's system.
colhis - 1 year ago
Then what should do users for safety purpose? use a apple instead?
build10240user - 1 year ago
Google needs to use something like VirusTotal to scan apps in my opinion.