These spyware-riddled Android apps have been installed over 400 million times - here's how to stay safe

Google Android figure standing on laptop keyboard with code in background
(Image credit: Shutterstock / quietbits)

Cybersecurity researchers have discovered a malicious SDK hiding in more than a hundred Android apps, many of which were previously available on the Google Play store. 

After being found by Dr. Web, the SDK was dubbed “SpinOK” - it’s an advertisement module that aims to keep people interested in the ads by offering minigames and daily rewards. 

Although working as intended on the surface, SpinOK was working in the background to exfiltrate sensitive data from the device it was installed on, exposing users to all kinds of risks, from identity theft, to wire fraud, and more.

Millions of downloads

"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," the researchers noted. 

However, the apps also stole plenty of data. It first analyzes the endpoint’s sensors to make sure it’s not running in a sandbox, and then it connects to a remote server to download a list of URLs which are used to display the minigames. Then, it lists files in directories, looks for certain documents, and copies them to the remote server, meaning it can exfiltrate videos, images, and other sensitive data. 

Furthermore, the malware is capable of monitoring the clipboard, a method often used by threat actors to steal credit card data, passwords, and gain access to cryptocurrency wallets. 

In total, 101 apps had this SDK integrated, and cumulatively, they were downloaded more than 420 million times from Google Play, only. 

The two most popular compromised apps, according to the researchers are Noizz: video editor with music, and Zapya - File Transfer, Share, both of which had more than 100 million downloads. For the latter, the trojan module was found in versions 6.3.3 to 6.4, with version 6.4.1 being clean. 

Other notable mentions include MVBit - MV video status maker, and Biugo - video maker&video editor, with 50 million downloads each. 

Almost all of the apps have since been removed from the Play Store, the publication says, adding that the complete list of apps can be found here.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.