Malware attacks planned by hackers are not new to the digital age as we have witnessed them from time to time. Recently, a new Trojan malware called SpinOk was discovered, and reportedly it affected as many as 101 applications on Google Play Store. Researchers have claimed that these malware attacks are in the form of advertisements and looks like third-party attack. The motive of the hackers is to target the personal data of individuals.
The malware or software module is equipped with spyware functionality. It can collect information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server.
Researchers at Dr Web, in collaboration with BleepingComputer, have identified a new spyware called ‘SpinOK’ which has infected over 100 applications available for download on the Google Play Store. What makes this malware even more dangerous is the fact that these applications have over 400 million downloads.
Some screenshots of how the attack might look:
The researchers have claimed that the malware attacks the device in the form of an advertisement SDK and offers minigames with daily incentives. However, after being downloaded, the malware captures user data and sends it to a distant server.
“On the surface, the SpinOk module is designed to maintain users’ interest in apps with the help of mini-games, a system of tasks, and alleged prizes and reward drawings,” the report by Doctor Web reveals.
According to Dr Web’s classification report, this module is known as Android[.]Spy[.]SpinOk is offered as a marketing SDK.
What happens if this Trojan malware enters your phone?
- obtains the list of files in specified directories,
- verifies the presence of a specified file or a directory on the device,
- obtains a file from the device, and
- copies or substitute the clipboard contents.
- After initialization, this trojan SDK communicates to a C&C server by sending a request containing a substantial amount of technical data about the infected device.
As per the report by Dr Web, the attack includes data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module’s operating routine in order to avoid being detected by security researchers. For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners.
“This allows the trojan module’s operators to obtain confidential information and files from a user’s device.
The report by Dr Web reveals that the infected apps had different levels of malicious content, with some still containing harmful software and others having it in specific versions or being removed entirely from the store.
Notably, these apps have been downloaded 421,290,300 times and this puts a significant number of Android users at risk of cyber threat. While the researchers have alerted Google about it, users are also asked to take precautions and stay away from downloading any such apps.
It is unclear if the publishers of the trojanized apps were deceived by the SDK’s distributor or knowingly included it in their code, but these infections commonly result from a supply-chain attack from a third party.
The ten most popular applications from the list are:
- Noizz: video editor with music (at least 100,000,000 installations)
- Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
- VFly: video editor&video maker (at least 50,000,000 installations),
- MVBit – MV video status maker (at least 50,000,000 installations),
- Biugo – video maker&video editor (at least 50,000,000 installations),
- Crazy Drop (at least 10,000,000 installations),
- Cashzine – Earn money reward (at least 10,000,000 installations),
- Fizzo Novel – Reading Offline (at least 10,000,000 installations),
- CashEM: Get Rewards (at least 5,000,000 installations),
- Tick: watch to earn (at least 5,000,000 installations).
The full list of applications can be found here in this report.
The Dr Web report also suggested all known versions of Android are effectively detected and neutralized by anti-virus for Android. Additionally, keep your device up to date with the latest system and security updates as these updates include bug fixes and improved security while addressing existing issues, such as bugs and crashes.
