May 29, 2023
On the surface, the SpinOk module is designed to maintain users’ interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings. Upon initialization, this trojan SDK connects to a C&C server by sending a request containing a large amount of technical information about the infected device. Included are data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module’s operating routine in order to avoid being detected by security researchers. For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners.
Below are examples of ads Android.Spy.SpinOk displays:
- obtain the list of files in specified directories,
- verify the presence of a specified file or a directory on the device,
- obtain a file from the device, and
- copy or substitute the clipboard contents.
This allows the trojan module’s operators to obtain confidential information and files from a user’s device—for example, files that can be accessed by apps with Android.Spy.SpinOk built into them. For this, the attackers would need to add the corresponding code into the HTML page of the advertisement banner.
Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads. Thus, hundreds of millions of Android device owners are at risk of becoming victims of cyber espionage. Doctor Web notified Google about the uncovered threat.
Below are the names of the 10 most popular programs found to carry the Android.Spy.SpinOk trojan SDK:
- Noizz: video editor with music (at least 100,000,000 installations),
- Zapya - File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
- VFly: video editor&video maker (at least 50,000,000 installations),
- MVBit - MV video status maker (at least 50,000,000 installations),
- Biugo - video maker&video editor (at least 50,000,000 installations),
- Crazy Drop (at least 10,000,000 installations),
- Cashzine - Earn money reward (at least 10,000,000 installations),
- Fizzo Novel - Reading Offline (at least 10,000,000 installations),
- CashEM: Get Rewards (at least 5,000,000 installations),
- Tick: watch to earn (at least 5,000,000 installations).
The full list of apps is available via this link.
Dr.Web anti-virus for Android successfully detects and neutralizes all known versions of the Android.Spy.SpinOk trojan module and programs that contain it, so this malicious app poses no threat to our users.
More details on Android.Spy.SpinOk
Updated on September 15, 2023
SpinOk contacted Doctor Web in order to review the functionality causing the module to be detected as spyware. Following the review, SpinOK updated the module (com.spin.ok.gp) to version 2.4.2. This module version does not incorporate spyware features. The updated module’s scan report.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.