SpinOk spyware found in over 100 android apps with 421 million downloads

The antivirus company, Doctor Web, has detected spy software in more than 100 Android applications. These applications have amassed over 421 million downloads on Google Play. The malicious entity, dubbed 'SpinOk' by Doctor Web, comes in the form of a marketing SDK.

SpinOk hidden features and user interaction mechanisms

SpinOk is designed to harvest data from compromised devices, with capabilities ranging from stealing clipboard content to transmitting files to attackers. To keep users interested in the applications in which it is integrated, the module offers mini-games, activities and alleged prizes. Once launched, the software connects to the command and control (C&C) server, sending a wealth of information about the device, including data from sensors, enabling it to detect emulated environments. In response, the server provides numerous URLs to display banner ads via WebView.

Additional malicious features and risk to user privacy

In addition, SpinOk can compile a list of the files present in certain directories, check for the presence of specific files and directories, upload files from the device and copy or replace the contents of the clipboard. "This allows the operators of the trojan module to obtain sensitive information and files from the user's device - for example, files accessible by apps that have embedded Android.Spy.SpinOk. To do so, attackers would need to insert the corresponding code into the page Banner ad HTML," explains Doctor Web.

Identify and remove infected apps

SpinOk's malicious modifications have been detected in a total of 101 applications on Google Play. Google was notified and removed some of the apps. In some cases, only certain versions contained the malicious SDK. The most popular applications that contained the malicious module include Noizz (over 100 million installs), Zapya (over 100 million installs - the code was present in versions 6.3.3 up to 6.4), VFly (over 50 million downloads) , MVBit (over 50 million installs), and Biugo (over 50 million downloads). Doctor Web has published a complete list of infected applications.