Spyware disguised as a marketing software development kit (SDK) has been spotted making its way to 101 Android applications, ultimately racking up more than 421 million downloads.
Researchers at Doctor Web call the malicious SDK "SpinOk," and report that it's advertised as a package of marketing functions, like mini games and prize drawings, to keep visitors using applications for longer periods of time. Instead, unwitting developers helped distribute spyware, Doctor Web reported.
"Upon initialization, this Trojan SDK connects to a C2 server by sending a request containing a large amount of technical information about the infected device," the researchers explained. "Included are data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module's operating routine in order to avoid being detected by security researchers."
They added, "For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners."
Doctor Web said that it notified Google about the applications distributing the SpinOk Trojan, which were addressed but users who have already downloaded the apps are still at risk. The 10 most-downloaded compromised Android applications observed by the team include:
- Noizz - video editor with music (at least 100,000,000 installations)
- Zapya - File Transfer, Share (at least 100,000,000 installations; the Trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
- VFly - video editor & video maker (at least 50,000,000 installations)
- MVBit - MV video status maker (at least 50,000,000 installations)
- Biugo - video maker & video editor (at least 50,000,000 installations)
- Crazy Drop - (at least 10,000,000 installations)
- Cashzine - Earn money reward (at least 10,000,000 installations)
- Fizzo Novel - Reading Offline (at least 10,000,000 installations)
- CashEM - Get Rewards (at least 5,000,000 installations)
- Tick - watch to earn (at least 5,000,000 installations)