Over 100 Android apps with more than 400 million downloads combined have been infected with a new malware strain that’s being distributed as a software development kit (SDK) for advertisers.
As reported by BleepingComputer, the discovery was made by security researchers at Dr. Web who found a spyware module inside the affected apps that they’ve dubbed ‘SpinOk’.
The reason this new Android malware is being referred to as spyware is due to the fact that it can steal private data stored on the best Android phones and send it to a remote server controlled by the hackers behind this campaign.
App developers likely added the SpinOk module to their apps, as it appears to be legitimate at first glance and uses minigames to provide users with “daily rewards” with the aim of keeping them interested.
Unfortunately though, SpinOk performs a number of malicious activities in the background while checking an Android device’s sensor data (including its gyroscope and magnetometer) to determine whether or not it’s running on an actual phone.
Delete these apps right now
According to Dr. Web’s report on the matter, the antivirus maker claims to have found 101 apps that were downloaded more than 421 million times from the Google Play Store. Below, you’ll find the affected apps with the most downloads and you can check out the report for the full list:
- Noizz: video editor with music - 100 million downloads
- Zapya - File Transfer, Share - 100 million downloads
- vFly: video editor&video maker - 50 million downloads
- MVBit - MV video status maker - 50 million downloads
- Biugo - video maker&video editor - 50 million downloads
- Crazy Drop - 10 million downloads
- Cashzine - Earn money reward - 10 million downloads
- Fizzo Novel - Reading Offline - 10 million downloads
- CashEM: Get Rewards - 5 million downloads
- Tick: watch to earn - 5 million downloads
While most of the affected apps have been removed from the Play Store, not all of them have yet. If you have any of these apps installed on your Android smartphone, it’s recommended that you delete them immediately. However, the spyware has been removed in the latest versions of many of these apps, so you could update to the latest version instead of removing them entirely. Still though, it’s probably best you delete these apps for your own safety.
Trojanized SDK
Once added to one of the affected apps, the trojanized SDK connects to a remote server in order to download a list of websites that are used to display minigames within them.
Although the minigames are displayed within the apps as expected, SpinOk is capable of performing a number of malicious activities in the background that include listing files in directories, searching for particular files, uploading files from an infected smartphone or copying and replacing content from your clipboard.
While the file exfiltration functionality could be used to expose private images, videos and documents, the clipboard modification functionality could allow SpinOk’s creators to steal passwords and credit card data as well as to hijack any payments made using cryptocurrency.
At the moment, it’s still unclear as to whether or not the publishers of these 100+ Android apps were tricked by the distributor of the trojanized SDK or included it in their apps on purpose. However, as BleepingComputer notes, these types of infections are often the result of supply-chain attacks from a third party.
How to stay safe from bad apps
When it comes to staying safe from malicious apps, you need to be extremely careful when downloading new apps — even when they come from the Google Play Store. Bad apps manage to slip past Google’s own security checks from time to time which is why you should exercise your best judgment when putting any new app on your phone.
You want to look at an app’s rating on the Play Store and read reviews while being mindful of the fact that both ratings and reviews can be faked. This is why it’s also a good idea to look for external reviews and especially video reviews so that you can see an app in action before installing it.
At the same time, you also want to be careful when using apps that request unnecessary permissions. For instance, that level or photo-editing app doesn’t likely need to be able to access your contacts and call history to work.
For additional protection, you should consider installing one of the best Android antivirus apps on your phone. If you’re on a tight budget though, Google Play Protect comes pre-installed for free on all Android phones and can also scan both your existing apps and any new ones you download for malware.
We’ll likely hear more about SpinOk once Google and others conduct their own investigations into how this trojanized SDK managed to end up inside so many popular Android apps.