2 min

Tags in this article

, ,

A new form of spyware has been discovered in an Android SDK. The software development kit (SDK) has been used in about 101 applications, with an estimated 421 million downloads. Unveiled by Doctor Web researchers, this insidious spyware, known as “SpinOk,” entices users with mini-games and compelling rewards.

However, once activated, it connects to a command-and-control server, transmitting detailed technical information about the compromised device. SpinOk goes to great lengths to evade detection, bypassing security researchers’ measures by detecting emulator environments and disregarding proxy settings.

This malicious module serves ads and manipulates JavaScript code on loaded web pages. Its purpose? Its first port of call is to compile a list of files. Soon after, it looks to verify the presence of specific files or directories, and can even swipe or replace clipboard contents.

A significant threat to users’ privacy

Among the infected apps are popular ones like Noizz. This app is a music video editor with a staggering 100 million downloads. In addition, there’s Zapya, a file transfer app boasting 100 million downloads. Other affected apps include video tools like VFly, MVBit, and Biugo, each garnering at least 50 million downloads. Numerous other apps, with download figures ranging from 5 million to 10 million, have also fallen victim to SpinOk’s infiltration.

CEO of IoT security company Viakoo Bud Broomhead noted that the threat actors behind SpinOk have honed in on Android games that generate profits for players. Broomhead suggests they may have a specific motive. Potential targets include monitoring fund transfers to bank accounts or exploiting specific files found on players’ devices.

The numbers may not reflect reality

Broomhead says that given the approximately 2 billion Android devices worldwide, if SpinOk has been installed 421 million times, roughly one out of every five devices could be affected.

Even if it is estimated that 25% of downloaded apps are never used again, there would still be a substantial number of “active” SpinOk downloads, reaching around 316 million.

Malicious actors are crafty, ensuring that suspicious activity code is downloaded only when specific conditions are met on the device, thus evading detection. This makes the SDK appear benign during a cursory source code scan, necessitating that users beware.

Also read: EU Parliament wants to curb use of spyware