Malicious spyware downloaded 421 million times on Google Play

Spyware disguised as a marketing software development kit (SDK) has been found to have made its way into 101 Android apps, many of which were previously on Google Play, and has been downloaded more than 400 million times.

Doctor Web researchers call the malicious SDK "SpinOk" and report that it has a package of marketing features, such as mini-games and sweepstakes, to keep visitors using the app for long periods of time.

The researchers further explained that upon initialization, this Trojan SDK connects to a C2 server by sending a request containing information about the infected device. This includes data from sensors such as gyroscopes and magnetometers that can be used to detect the emulator environment and adjust the module's operating procedures to avoid detection by security researchers.

Doctor Web said it informed Google about the applications that distributed the SpinOk Trojan, which have been resolved, but users who have downloaded them are still at risk.

The 10 most downloaded affected Android apps observed by the team includ:

· Noizz - video editor with music (at least 100,000,000 installs)

· Zapya - file transfer, sharing (at least 100,000,000 installs; the Trojan module was present in versions 6.3.3 to 6.4 and is no longer present in the current version 6.4.1)

· VFly - video editor and video maker (at least 50,000,000 installs)

· MVBit - MV video status maker (at least 50,000,000 installs)

· Biugo - video maker and video editor (at least 50,000,000 installs)

· Crazy Drop - (at least 10,000,000 installs)

· Cashzine - Earn Rewards (at least 10,000,000 installs)

· Fizzo Novel - Offline Reading (at least 10,000,000 installs)

· CashEM - Earn Rewards (at least 5,000,000 installs)

· Tick - Watch for money (at least 5,000,000 installs)