These Android apps found to carry malicious spyware
A significant number of Android apps, including several that were previously available on the Google Play Store, have been discovered to contain a potentially dangerous software development kit.
The recently identified SDK, known as "SpinOK," was brought to light by Dr. Web. This particular software development kit is an advertising module that utilizes various tactics, such as offering mini-games and daily rewards, to engage users and maintain their interest in the displayed advertisements.
Upon investigation, Dr. Web uncovered an SDK and bestowed upon it the name "SpinOK." Disguised as a seemingly innocuous ad module employing enticing features like mini-games and daily prizes, SpinOK aimed to sustain user engagement with the displayed advertisements.
However, unbeknownst to users, this seemingly harmless module was surreptitiously extracting sensitive information from the device it was installed on. As a result, users unwittingly faced heightened risks of identity theft, wire fraud, and various other forms of cybercrime.
"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," the researchers stated.
Beyond its deceptive functionality, the discovered SDK was involved in extensive data theft through the compromised apps. To ensure it was not operating within a sandbox environment, the malicious software checked the sensors of the targeted device.
Once confirmed, it established a network connection to fetch a roster of URLs essential for rendering the embedded mini-games. Disturbingly, this allowed the SDK to pilfer a wide range of content, including videos, photos, and other private information. By systematically scanning directories, searching for specific documents, and subsequently transferring them to a remote server, the malware enabled unauthorized access to users' sensitive files.
Additionally, the malware exhibited a common tactic employed by malicious actors: monitoring the clipboard to collect sensitive information. This technique heightened the risk of further data exposure, as the SDK clandestinely tracked and intercepted data stored in the clipboard, potentially compromising critical details and exacerbating the threat to user privacy.
Over 420 million downloads
The extent of the SDK's reach is staggering, with over 420 million instances of apps containing this SDK being downloaded solely from Google Play. Among the compromised apps, researchers identified two highly popular ones, Noizz: video editor with music and Zapya - File Transfer, Share, both boasting over 100 million users.
The trojan module was found in versions 6.3.3 through 6.4 of Zapya, while version 6.4.1 was verified as clean. Notably, other heavily downloaded apps, including MVBit (an MV video status producer) and Biugo (a video maker and editor), accumulated over 50 million downloads each.
Here are some of the most downloaded apps identified by Dr. Web:
- Noizz: video editor with music - 100,000,000 downloads
- Zapya – File Transfer, Share - 100,000,000 downloads (Trojan module present in versions 6.3.3 to 6.4, but absent in the current version 6.4.1)
- VFly: video editor&video maker - 50,000,000 downloads
- MVBit – MV video status maker - 50,000,000 downloads
- Biugo – video maker&video editor - 50,000,000 downloads
- Crazy Drop - 10,000,000 downloads
- Cashzine – Earn money reward - 10,000,000 downloads
- Fizzo Novel – Reading Offline - 10,000,000 downloads
- CashEM: Get Rewards - 5,000,000 downloads
- Tick: watch to earn - 5,000,000 downloads
The article reports that nearly all of the implicated apps have been removed from Google Play Store, and interested readers can consult the comprehensive list of affected apps for further information.Advertisement