May 29, 2023

Doctor Web discovered an Android software module with spyware functionality. It collects information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server. Dubbed Android.Spy.SpinOk in accordance with Dr.Web classification, this module is distributed as a marketing SDK. Developers can embed it into all sorts of apps and games, including those available on Google Play.

On the surface, the SpinOk module is designed to maintain users’ interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings. Upon initialization, this trojan SDK connects to a C&C server by sending a request containing a large amount of technical information about the infected device. Included are data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module’s operating routine in order to avoid being detected by security researchers. For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners.

Below are examples of ads Android.Spy.SpinOk displays:

At the same time, this trojan SDK expands the capabilities of JavaScript code executed on loaded webpages containing ads. It adds many features to such code, including the ability to:

• obtain the list of files in specified directories,
• verify the presence of a specified file or a directory on the device,
• obtain a file from the device, and
• copy or substitute the clipboard contents.

This allows the trojan module’s operators to obtain confidential information and files from a user’s device—for example, files that can be accessed by apps with Android.Spy.SpinOk built into them. For this, the attackers would need to add the corresponding code into the HTML page of the advertisement banner.

Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads. Thus, hundreds of millions of Android device owners are at risk of becoming victims of cyber espionage. Doctor Web notified Google about the uncovered threat.

Below are the names of the 10 most popular programs found to carry the Android.Spy.SpinOk trojan SDK:

• Noizz: video editor with music (at least 100,000,000 installations),
• Zapya - File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
• VFly: video editor&video maker (at least 50,000,000 installations),
• MVBit - MV video status maker (at least 50,000,000 installations),
• Biugo - video maker&video editor (at least 50,000,000 installations),
• Crazy Drop (at least 10,000,000 installations),
• Cashzine - Earn money reward (at least 10,000,000 installations),
• Fizzo Novel - Reading Offline (at least 10,000,000 installations),
• CashEM: Get Rewards (at least 5,000,000 installations),
• Tick: watch to earn (at least 5,000,000 installations).

The full list of apps is available via this link.

Dr.Web anti-virus for Android successfully detects and neutralizes all known versions of the Android.Spy.SpinOk trojan module and programs that contain it, so this malicious app poses no threat to our users.

More details on Android.Spy.SpinOk

Indicators of compromise

Updated on September 15, 2023

SpinOk contacted Doctor Web in order to review the functionality causing the module to be detected as spyware. Following the review, SpinOK updated the module (com.spin.ok.gp) to version 2.4.2. This module version does not incorporate spyware features. The updated module’s scan report.