SpinOK Android Malware Downloaded Over 400 Million Times, in 100+ Compromised Apps

Security researchers made a significant finding regarding an Android software component that possesses spyware capabilities. Its primary function is to gather information on files stored on devices and facilitate their transmission to malicious individuals. Furthermore, it possesses the ability to replace and upload clipboard contents to a remote server. Flagged as Android.Spy.SpinOk, this component is distributed as a marketing software development kit (SDK), which developers can integrate into various applications and games, including those found on Google Play.

At first glance, the SpinOk module is designed to sustain users' engagement in apps through the incorporation of mini-games, task systems, and purported prizes and rewards. When initiated, this trojan SDK establishes a connection with a command-and-control (C&C) server by transmitting a request containing an extensive range of technical details about the infected device.

This includes data from sensors like the gyroscope and magnetometer, which can be employed to detect emulator environments and adapt the module's operational procedures to avoid detection by security researchers. Additionally, it bypasses device proxy settings to conceal network connections during analysis. In response, the module receives a list of URLs from the server, which it subsequently opens in WebView to exhibit advertising banners.

SpinOK Capabilities

The trojan SDK expands the capabilities of JavaScript code executed on loaded webpages featuring advertisements. It introduces various functionalities to this code, such as the ability to:

• Acquire a list of files within specified directories.
• Validate the presence of specific files or directories on the device.
• Retrieve a file from the device.
• Copy or substitute the contents of the clipboard.

Consequently, the operators of this trojan module can access confidential information and files from a user's device, particularly files that can be reached by apps containing Android.Spy.SpinOk. To accomplish this, the attackers would need to insert corresponding code into the HTML page of the advertisement banner.

Security researchers uncovered this trojan module and identified multiple variations of it within several apps distributed through Google Play. While some of these apps continue to harbor the malicious SDK, others had it only in specific versions or have been completely removed from the catalog. Our malware analysts detected its presence in 101 apps with a combined total of at least 421,290,300 downloads. Consequently, hundreds of millions of Android device owners are exposed to the risk of falling victim to cyber espionage. Doctor Web promptly notified Google about this uncovered threat.