The Skyrocketing Menace of Spyware: Over 400 Million Apps Downloaded Through Google Play

Spyware Disguised as Marketing SDK Found in 101 Android Applications

The popular Android applications like Noizz, Zapya, VFly, and Biugo have been found to contain spyware disguised as a marketing software development kit (SDK) that could extract and report sensitive data from users’ devices without their consent. According to Doctor Web, the Russian antivirus vendor, at least 101 applications have contained a malicious SDK called SpinOk (also known as Adhubllka), which has racked up more than 421 million downloads. The report suggested that the existence of this malware highlights supply chain risks for mobile apps, where even benign applications can be hijacked and weaponized once their code is compromised.

Modus Operandi of SpinOk Trojan SDK

Doctor Web researchers have described the SpinOk Trojan SDK as a package of marketing functions, including mini-games and prize drawings, that are intended to engage users and extend their time with the application. The Trojan SDK connects to a command-and-control server by sending a request containing a large amount of technical information about the infected device, which includes data from sensors such as the gyroscope and magnetometer. SpinOk uses this information to detect an emulator environment and evade detection by malware analysts. The module then receives a list of URLs from the server, which it opens in WebView to display advertising banners. Unfortunately, this also gives attackers the ability to collect data from the compromised devices and send it back to a remote server.

Top 10 Compromised Android Applications

Doctor Web has notified Google about the applications that distributed the SpinOk Trojan SDK, but users who have already downloaded the apps are still at risk. The ten most-downloaded applications observed to be compromised by the SpinOk Trojan SDK include video editing apps such as Noizz, VFly, and Biugo, and file-sharing apps, like Zapya. The compromised apps have more than 100 million installs, except for CashEM and Tick, which have more than 5 million installs. The researchers have advised users to remove these apps from their devices immediately.

Supply Chain Risks for Mobile Apps

The infiltration of the SpinOk Trojan SDK highlights the risks of supply chain attacks, where a third-party provider’s software is repurposed to carry out malicious activity. In the case of mobile apps, developers are reliant on SDKs that can provide valuable functionality, such as analytics, payments, and advertising, among others. However, these third-party software modules can also be misused to collect, exfiltrate, and monetize sensitive user data. The SpinOk Trojan SDK case shows how difficult it can be to identify a malicious SDK that masquerades as a legitimate marketing SDK. One possible mitigation step is to trust only reputable SDK providers with a history of compliance with standards and user privacy.

Conclusion

Mobile app supply chain risks are becoming more common, and the SpinOk Trojan SDK is one such example of how hackers can exploit benign apps and add malicious components. Developers need to be mindful of the risk of supply chain attacks and ensure they vet the SDKs they use from trustworthy sources. Meanwhile, businesses and users should be mindful of the applications they download and regularly scrutinize their devices for suspicious activity. Though Google has removed the affected apps from its Play Store, the malware is still present on millions of Android devices, leaving them vulnerable to data breaches and cybercrime. Users should immediately uninstall the affected applications and keep their devices updated with the latest security patches.