A new Trojan, dubbed Android.Spy.SpinOk, has compromised approximately 421 million Android devices worldwide. This alarming revelation was made by the security researchers at Doctor Web, who uncovered extensive details about the Trojan in an advisory released on Monday.
SpinOk Trojan exhibits several spyware functionalities, including file collection and clipboard content capture. Notably, the Trojan can be embedded within other apps, allowing it to spread and infect millions of devices. It lures users with engaging features like mini-games, tasks, and prize opportunities. However, upon activation, the Trojan establishes a connection to a command and control (C2) server, transmitting extensive technical data about the infected device.
The threat actors appear to have specifically targeted a niche of Android games that focus on monetary rewards for the player. “It’s likely that they are focused on that niche for a reason, such as observing transfer of those funds to bank accounts or likelihood that the player will have specific files that can be further exploited,” said Bud Broomhead, CEO of Viakoo.
The data transmitted by the Trojan includes information from various sensors, such as the gyroscope and magnetometer. This capability enables the module to identify emulator environments and adapt its operations to evade detection by security researchers. Moreover, the malware can disregard device proxy settings, thereby concealing network connections during analysis1. In return, it receives a list of URLs from the server, which it loads in WebView to display advertising banners.
The presence of the SpinOk Trojan and its various iterations have been detected in several apps available on Google Play. While some apps still include the malicious software development kits (SDKs), others had it only in specific versions or have been entirely removed from the platform.
“SDKs are mostly black boxes for mobile app developers. They are integrated to accomplish a specific known task, but no one checks what else the SDK can do, especially when it runs within an app on an end-user device,” explained Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium. He added that malicious actors often use deceptive tactics, as most suspicious activity code is downloaded only when certain conditions are met on the device to avoid detection.
According to Doctor Web, their analysis has revealed the Trojan’s existence in 101 apps, totalling 421,290,300 downloads. The firm confirmed that they have notified Google about the threat. As the investigation continues, users are advised to be cautious when downloading apps, particularly games that offer monetary rewards.