A new Android malware – SpinOk – distributed as an advertisement SDK has been discovered in several apps – many of which were previously listed on Google Play and have been downloaded a total of over 400 million times.
Android.Spy.SpinOk module is designed to engage users with mini games, tasks, and alleged prizes, but it also contains spyware functionality. When initialized, the trojan SDK connects to a command and control (C&C) server and sends a request containing technical information about the infected device. This information includes data from sensors like the gyroscope and magnetometer, which can be used to detect emulator environments and adjust the module’s behavior to avoid detection by security researchers.
The module also ignores device proxy settings to hide network connections during analysis. In response, it receives a list of URLs from the server, which are opened in WebView to display advertising banners.
Capabilities of Trojan SDK
- obtain the list of files in specified directories,
- verify the presence of a specified file or a directory on the device,
- obtain a file from the device, and
- copy or substitute the clipboard contents.
Dr. Web claims that this SDK was found in 101 apps that were downloaded a total of 421.290.300 times from Google Play, with the most downloads listed below:
- Noizz (100,000,000 downloads)
- Zapya (100,000,000 downloads)
- VFly (50,000,000 downloads)
- MVBit (50,000,000 downloads)
- Biugo (50,000,000 downloads)
- Crazy Drop (10,000,000 downloads)
- Cashzine (10,000,000 downloads)
- Fizzo Novel (10,000,000 downloads)
- CashEM: Get Rewards (5,000,000 downloads)
- Tick: watch to earn (5,000,000 downloads)
It is recommended to uninstall the app immediately and scan your device.
How to stay safe from bad apps
1. Avoid Installing Apps From Unknown Sources
2. Avoid Third-Party App Stores
3. Cross-Check App Permissions With AppBrain
4. Review the App Listing Page