Android apps with spyware installed 421 million times from Google Play

A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.

Security researchers at Dr. Web discovered the spyware module and tracked it as 'SpinOk,' warning that it can steal private data stored on users' devices and send it to a remote server.

The antivirus company says SpinkOk demonstrates a seemingly legitimate behavior, using minigames that lead to "daily rewards" to spark user interest.

"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," explains Doctor Web's report.

In the background, though, the trojan SDK checks the Android device's sensor data (gyroscope, magnetometer) to confirm that it's not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps.

The app then connects to a remote server to download a list of URLs opened used to display expected minigames.

While the minigames are displayed to the apps' users as expected, Dr. Web says that in the background, the SDK is capable of additional malicious functionality, including listing files in directories, searching for particular files, uploading files from the device, or copying and replacing clipboard contents.

The file exfiltration functionality is particularly concerning as it could expose private images, videos, and documents.

In addition, the clipboard modification functionality code allows the SDK's operators to steal account passwords and credit card data, or hijack cryptocurrency payments to their own crypto wallet addresses.

Dr. Web claims this SDK was found in 101 apps that were downloaded for a cumulative total of 421,290,300 times from Google Play, with the most downloaded listed below:

• Noizz: video editor with music (100,000,000 downloads)
• Zapya – File Transfer, Share (100,000,000 downloads; Dr. Web says the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
• VFly: video editor&video maker (50,000,000 downloads)
• MVBit – MV video status maker (50,000,000 downloads)
• Biugo – video maker&video editor (50,000,000 downloads)
• Crazy Drop (10,000,000 downloads)
• Cashzine – Earn money reward (10,000,000 downloads)
• Fizzo Novel – Reading Offline (10,000,000 downloads)
• CashEM: Get Rewards (5,000,000 downloads)
• Tick: watch to earn (5,000,000 downloads)

All but one of the above apps have been removed from Google Play, indicating that Google received reports about the malicious SDK and removed the offending apps until the developers submitted a clean version.

A complete list of the apps reportedly using the SDK can be found on Dr. Web's site.

It is unclear if the publishers of the trojanized apps were deceived by the SDK's distributor or knowingly included it in their code, but these infections commonly result from a supply-chain attack from a third party.

If you use any of the apps listed above, you should update to the latest version available via Google Play, which should be clean.

If the app isn't available on Android's official app store, it is recommended to uninstall them immediately and scan your device with a mobile antivirus tool to ensure that any spyware leftovers are removed.

BleepingComputer has reached out to Google for a statement on this massive infection base, but a comment wasn't available by publication time.