Over 421,000,000 Times Installed Android Apps from Google Play Contain Malware

A spyware-enabled Android app module that can gather details about files kept on devices and send them to attackers.

Additionally, clipboard contents can be replaced and uploaded to a remote server.

“This malicious SDK collects information on files stored on Android devices and can transfer them to attackers; it can also substitute and upload clipboard contents to a remote server,” Dr. Web reports.

According to Dr. Web’s classification, this module is known as Android[.]Spy[.]SpinOk is offered as a marketing SDK.

Developers can incorporate it into a variety of Google Play-compatible apps and games.

The SpinOk module appears to keep users interested in apps through mini-games, a system of activities, and purported awards and reward systems.

Capabilities of Trojan SDK

• obtain the list of files in specified directories,
• verify the presence of a specified file or a directory on the device,
• obtain a file from the device, and
• copy or substitute the clipboard contents.

After initialization, this trojan SDK communicates to a C&C server by sending a request containing a substantial amount of technical data about the infected device.

The data from sensors, such as a gyroscope, magnetometer, etc., can be utilized to identify an emulator environment and change the running routine of the module to evade detection by security researchers.

To hide network connections while performing analysis, it ignores device proxy settings for the same reason.

The module responds by requesting a list of URLs from the server, which it then opens in WebView to show banner ads.

“This allows the trojan module’s operators to obtain confidential information and files from a user’s device.

For this, the attackers would need to add the corresponding code to the HTML page of the advertisement banner”, researchers explain.

This trojan SDK increases the functionality of JavaScript code running on loaded websites with advertisements.

Trojan Module Found In Several Apps 

Doctor Web experts discovered the trojan module and its numerous variations in various apps available through Google Play.

Some still have dangerous SDK in them, while others just had it in certain versions or were completely deleted from the catalog. 

It was found by malware researchers in 101 apps with at least 421,290,300 total downloads.

As a result, hundreds of millions of people using Android devices risk falling prey to cyber espionage.

Google was informed of the discovered threat by Doctor Web.

10 Most Popular Programs Found To Carry Trojan SDK

• Noizz: video editor with music (at least 100,000,000 installations),
• Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
• VFly: video editor&video maker (at least 50,000,000 installations),
• MVBit – MV video status maker (at least 50,000,000 installations),
• Biugo – video maker&video editor (at least 50,000,000 installations),
• Crazy Drop (at least 10,000,000 installations),
• Cashzine – Earn money reward (at least 10,000,000 installations),
• Fizzo Novel – Reading Offline (at least 10,000,000 installations),
• CashEM: Get Rewards (at least 5,000,000 installations),
• Tick: watch to earn (at least 5,000,000 installations).

The Dr. Web report suggests all known versions of Android are effectively detected and neutralized by Dr.Web anti-virus for Android.

The Spy.SpinOk trojan module and programs that contain it have been removed. Thus, users are not at risk from this harmful app.

Source: https://cybersecuritynews.com/spyware-enabled-android-app/