Skip to content
Search
Close search
Menu
Home News Hidden Spyware downloaded over 400 million times on Android devices via Google Play

Description 

The malicious spyware module is disguised as a developer tool and has infiltrated countless Android apps and games on the Google Play store. Operating covertly, this module remains hidden within these seemingly harmless applications.

Once activated, the malicious module secretly connects to a command-and-control server (C2) and sends a vast amount of information about the infected device. This data includes information from various sensors embedded within the device, such as the gyroscope and magnetometer. This helps the criminals controlling the malware to figure out if it’s running on an actual device or just a simulated one on a computer. The C2 server responds by sending a list of web addresses (URLs) to the module, which then discreetly opens these URLs within a hidden web browser, displaying intrusive advertising banners.

The malicious module also gives additional capabilities to the JavaScript code executed on web pages featuring advertisements. 

Researchers found that it adds many new features to the code, such as the ability to: 

  1. Retrieve a comprehensive list of files located in specific device folders.
  2. Verify the existence of particular files or folders on the device.
  3. Retrieve files from the device.
  4. Manipulate or replace the contents of the device’s clipboard.

The hackers behind this malware can use these powers to gather sensitive information and files from the victim’s device. For example, they can access files accessible to apps containing a particular type of spyware. By incorporating malicious code into the advertisement banners’ web pages, the attackers can effortlessly steal files accessible to apps containing this specific strain of spyware.

The security experts at Doctor Web found this malicious module and several different versions in many apps available on Google Play. While some apps still harbour this malicious module, others contain it solely within specific versions or have been entirely removed from the app store. Researchers have identified this malware in 101 apps with a combined total of at least 421,290,300 downloads. 

Researchers believe that millions of Android device owners are at risk of being victims of cyber spying. They promptly shared their findings with Google to help protect users and safeguard them against this dangerous threat.

A screenshot of a video editorDescription automatically generated with medium confidence

Below is the list of the ten most popular apps using  Android.Spy.SpinOk trojan SDK: 

  • Noizz – Video Editor with Music (at least 100,000,000 installations) 
  • Zapya – File Transfer, Share (at least 100,000,000 installations) 
  • VFly – Video Editor & Video Maker (at least 50,000,000 installations) 
  • MVBit – MV Video Status Maker (at least 50,000,000 installations) 
  • Biugo – Video Maker & Video Editor (at least 50,000,000 installations) 
  • Crazy Drop – (at least 10,000,000 installations) 
  • Cashzine – Earn money reward (at least 10,000,000 installations) 
  • Fizzo Novel – Reading Offline (at least 10,000,000 installations) 
  • CashEM – Get Rewards (at least 5,000,000 installations) 
  • Tick – Watch to Earn – (at least 5,000,000 installations) 

The full list of apps is available here

Related Links 

https://securityaffairs.com/146926/malware/spinok-android-malware.html?_hsmi=78978938&_hsenc=p2ANqtz-_BP5DetT55Gy73zip8uKCNNlEiY4DuTTArAiUaCWxQO3eXFOzb-4EgIi83Bw1ci0r96-2vaXEuBMAF2KG5yn98Y3BdgO4FZOyhB0fwEVrRTPUuSRc – Published June 1st 

https://www.tomsguide.com/news/over-400-million-infected-with-android-spyware-delete-these-apps-right-now – Published June 1st 

https://www.techradar.com/news/these-spyware-riddled-android-apps-have-been-installed-over-400-million-times-heres-how-to-stay-safe – Published June 1st 

 https://www.secureblink.com/cyber-security-news/encrypted-rpmsg-attachments-and-evolving-microsoft-365-phishing-attacks – Published May 26th 

06.06.23
Threat Intelligence Alerts
Chris Martin
Written by
Chris Martin
Cyber Incident Responder

Related articles