SpinOk Mobile Malware

Cybersecurity researchers have uncovered a threatening software module targeting Android devices equipped with spyware capabilities. This module is tracked as SpinOk and operates by gathering sensitive data pertaining to files stored on the affected devices and possesses the ability to transmit this information to evil-minded entities. Additionally, it can replace and upload contents copied to the device's clipboard, forwarding them to a remote server controlled by the attackers.

The SpinOk Malware has been disguised as a marketing Software Development Kit (SDK). As such, it can be incorporated by developers into various applications and games, including those readily accessible on the Google Play Store. This distribution method allows the spyware-infected module to potentially infiltrate a wide range of Android software, posing a significant threat to user privacy and security. Indeed, according to infosec experts, SpinOk-infected Android applications have been downloaded and installed over 421 million times.

The SpinOk Malware was Found Injected into Numerous Applications on the Google Play Store

The SpinOk trojan module, along with several variations of it, has been identified within numerous applications distributed through the Google Play Store. While some of these applications still contain the compromised Software Development Kit (SDK), others had it present in specific versions or have been entirely removed from the store. However, it has been discovered that this mobile malware has been present in a total of 101 different applications, which have collectively amassed over 421,000,000 downloads. As a result, a substantial number of Android device owners, amounting to hundreds of millions, are potentially at risk of falling victim to cyber espionage.

Among the applications found to carry the SpinOk spyware with the most downloads are:

• A video editor Noizz with a minimum of 100 million installs.
• A file transfer and share application, Zapya, with another 100 million installs.
• VFly (video editor and maker), MVBit (MV video status maker), and Biudo (video editor and maker) each with a minimum of 50 million installs.

It should be pointed out that the SpinOk Malware was present in several versions of Zapya but has been removed with the 6.4.1 version of the application.

The presence of this Trojan module within these widely used applications poses a significant threat to the privacy and security of users. Immediate action is required to mitigate the potential risks associated with these compromised applications.

The SpinOk Mobile Malware Collects a Wide Range of Sensitive Data Under the Guise of Useful Functionalities

The SpinOk module presents itself as an engaging tool within applications, offering users mini-games, task systems, and the allure of prizes and rewards. However, upon activation, this Trojan Software Development Kit (SDK) establishes a connection with a Command-and-Control (C&C) server and transmits a comprehensive set of technical details about the infected device. These details include sensor data from components like the gyroscope and magnetometer, which can be utilized to identify emulator environments and adjust the module's behavior to evade detection by security researchers. To further obfuscate its activities during analysis, the Trojan module disregards device proxy settings, enabling it to conceal network connections.

Through its communication with the C&C server, the module receives a list of URLs, which it then loads in WebView to display advertising banners. Simultaneously, this Trojan SDK enhances the capabilities of a corrupted JavaScript code executed within these loaded Web pages, introducing a range of functionalities in the process. These include the ability to access and enumerate files in specified directories, check for the existence of specific files or directories on the device, retrieve files from the device, and manipulate the contents of the clipboard.

These added capabilities provide the operators of the Trojan module with the means to acquire confidential information and files from the user's device. For instance, applications incorporating the SpinOk Trojan can be leveraged to manipulate the files accessible to them. The attackers accomplish this by inserting the necessary code into the HTML pages of the advertisement banners, enabling them to extract sensitive data and files from unwitting users.