A new spyware disguised as a marketing software development kit (SDK) has been detected in at least 101 Android applications, which have been downloaded more than 421 million times. Dubbed “SpinOk,” the malicious SDK is advertised as a package of marketing functions like mini games and prize draws, designed to keep users engaged with the app for longer periods of time. Unfortunately, some developers were not aware that the SpinOk SDK contained spyware. As a result, users who have already downloaded the apps are still at risk.
According to researchers from Doctor Web, who first discovered the malware, the Trojan SDK connects to a command-and-control (C2) server right after initialization by sending a request that contains a lot of technical information about the infected device. This includes data from sensors like the gyroscope and magnetometer that can detect an emulator environment, potentially allowing the malware to avoid detection.
Furthermore, the SpinOk SDK ignores device proxy settings, making it even more difficult to trace network connections. In response, the module receives a list of URLs from the C2 server, which it then opens in WebView to display advertising banners. Doctor Web noted that it has informed Google about the applications distributing the SpinOk Trojan; however, the warning came too late for users who had already downloaded the affected apps.
The top 10 affected Android applications by SpinOk Trojan, according to Doctor Web, are Noizz-video editor with music with at least 100,000,000 installations; Zapya-File Transfer, Share with at least 100,000,000 installations (the Trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1); VFly-video editor and video maker with at least 50,000,000 installations; MVBit-MV video status maker, with at least 50,000,000 installations; Biugo-video maker & video editor, with at least 50,000,000 installations; Crazy Drop with at least 10,000,000 installations; Cashzine-Earn money reward with at least 10,000,000 installations; Fizzo Novel Reading Offline with at least 10,000,000 installations; CashEM-Get Rewards with at least 5,000,000 installations, and Tick-watch to earn with at least 5,000,000 installations. All users are advised to uninstall those applications immediately.
SpinOk Trojan can potentially steal sensitive information, such as banking credentials, passwords, and other important data stored on the infected device. Victims of Spyware attacks may not even realize that they have been targeted until it is too late. To avoid falling victim to these types of attacks, users should be cautious about downloading apps from unknown or suspicious sources.
It is also important to keep Android devices updated with the latest security patches and to avoid rooting the device, as this can make it easier for malware to take over the system. In addition, users should limit the amount of personal information they share online and avoid clicking on links or attachments from unfamiliar email addresses or social media accounts.
In conclusion, the appearance of SpinOk Trojan in several Android apps poses a significant threat to the privacy and security of users who have already downloaded those apps. As always, users are advised to remain vigilant and to take all the necessary precautions to protect their devices from any potential cybersecurity threats.