A recently identified malware targeting Android devices has been found embedded within various apps, some of which were available on Google Play and have accumulated a combined download count exceeding 400 million. Dubbed "SpinOk" by researchers at Dr. Web, this spyware module has the capability to pilfer sensitive user data from their devices and transmit it to a remote server.
Diving into details
SpinOk employs a clever strategy by presenting itself as an innocuous advertisement SDK and engaging users through mini-games that promise daily rewards.
However, in the underlying processes, the trojan SDK verifies the sensor data of the Android device (such as the gyroscope and magnetometer) to ensure that it is not operating within a controlled environment commonly utilized by researchers for analyzing potentially harmful Android applications.
Although the users of the application perceive the mini-games as intended, the SDK possesses hidden capabilities, including the ability to list files within directories, search for specific files, upload files from the device, or manipulate the contents of the clipboard by copying and replacing them.
Furthermore, the code responsible for modifying the clipboard enables the operators of the SDK to pilfer account passwords, credit card information, or even redirect cryptocurrency payments to their own crypto wallet addresses.
What are these apps?
The SDK was spotted in 101 apps that were downloaded for a total number of 421,290,300 from the Google Play Store. Here are some of the apps with the most downloads:
Noizz: video editor with music (100,000,000 downloads)
ESET researchers spotted a new Android malware, dubbed AhRAT, that is being distributed via an Android app and can extract user data, capture screenshots, record private audio, and collect keystrokes. The app was downloaded over 50,000 times before it was removed.
Earlier in May, CPR came across a new malware named FluHorse, which is a collection of a set of Android apps that impersonate genuine apps. The fake apps were downloaded by over a million users.
A new Android malware called Fleckpe was discovered on the Google Play Store, disguised as legitimate apps and downloaded over 620,000 times. The malware generated unauthorized charges by subscribing users to premium services.
The bottom line
In the case of SpinOk, the involvement of the publishers of the trojanized apps in the inclusion of the SDK in their code is uncertain - they may have been deceived by the distributor or intentionally included it. However, these infections often occur due to a third-party supply-chain attack. It is strongly recommended to uninstall or update those apps immediately.