A popular mini-game module found in over 100 Android apps, pitched to developers as a legitimate marketing SDK meant to improve user engagement and attention, has been found to have spyware capability hidden in it.
A new report from the Dr. Web antivirus platform finds that the SpinOK module surreptitiously collects a wide range of user data, and has the capability to pass it back to a remote server and hide network connections while doing so. The module is in some popular apps that each have tens to hundreds of millions of downloads, and in total some 421 million people globally are thought to be impacted.
Wide variety of Android apps compromised, malware was passed via Google Play
Developers may have incorporated SpinOK in Android apps in the belief that it was a legitimate advertising and user engagement tool. The module is used for daily login reward popups for users, often accompanied by a small game (such as a wheel spin or lottery scratcher) that provides a reward such as in-app currency or tickets toward a prize raffle.
Possibly unbeknownst to developers, the module contained some extensive spyware. SpinOK has hidden features capable of capturing clipboard contents, indexing files on the device and searching for specific names or types, and exfiltrating files that the tainted app has been granted permissions for.
SpinOK also took pains to hide the spyware from security researchers, indicating bad intentions. Whenever the module is initialized, it requests a large amount of technical information about the device (such as sensor activity) to determine if it is being run in an emulator environment. It also ignored device proxy settings, allowing it to hide network connections from attempts at analysis.
The spyware infected Android apps available through the Play Store, and some are quite popular. Two of them, video editor Noizz and file transfer app Zapya, have over 100 million installs. Three others have 50 million installs: video editors VFly, MVBit and Blugo. And several others have five to ten million installs. While video editors seemed to be a popular target, the tainted SDK spans a wide variety of app types including “cash back” apps, ebook readers and casino-style games.
Bud Broomhead, CEO at Viakoo, noted that apps that might plug into the digital payment systems of users seemed to be another point of focus: “The threat actors have burrowed deeply into a niche of Android games, those focused on making money for the player. It’s likely that they are focused on that niche for a reason, such as observing transfer of those funds to bank accounts or likelihood that the player will have specific files that can be further exploited.”
Spyware capabilities present, but unclear to what extent they were used
Between the clipboard access and file extraction, the SpinOK spyware is capable of nabbing a great deal of highly sensitive information from compromised devices. All but one of the ten largest Android apps that were infected (those with millions of downloads) have been removed from Google Play until they can return with a clean version. The infected apps came from a variety of developers, so at this point it does not appear that it was a coordinated campaign.
The spyware incident will no doubt feed a growing chorus of criticism of the security of the Play Store, and the relative uselessness of the built-in Google Play Protect. Ostensibly meant to be something akin to Microsoft Defender, an automated malware and malfeasance detector that users do not have to install and has low overhead, third-party tests by security companies consistently find that it lags well behind other market options. The system improved from catching about 80% of malware to about 90% in the most recent annual AV-Test roundup, but that is compared to products at the top of the market that are routinely in the 98% to 100% range.
Though it was not a factor in this particular case, another issue that has plagued the Play Store (and that speaks to overall security issues) is the relative ease with which malicious “lookalike” Android apps continue to get listed and stay available for weeks or months. One flagrant recent example is the “DogeRAT” trojan, which targeted customers in India and was disguised in fake versions of OpenAI chatbot apps, the Opera Mini browser and even fake versions of YouTube and Instagram.
Another issue is the fact that the spyware was embedded in an SDK, something that Google does not even have access to if it is proprietary and that can be configured to hide malware from automated scans. Apple is stricter about allowing SDKs in App Store apps for this reason, and since 2021 has begun rejecting apps that use third-party SDKs to collect user data.
Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, provides more insight into the risks that these modules can pose: “For mobile app developers, SDKs are mostly black boxes. All of them are integrated to accomplish a specific known task, whether free or paid. But no one checks what else the SDK can do, especially when it runs within an app on an end-user device. Malicious actors don’t make this simple either, as most suspicious activity code is downloaded only when certain conditions are met on the device to avoid detection. So the SDK might look benign for the most part to a source code scanner. If a proprietary SDK, then you don’t have access to the source code to begin with. Today’s SDKs are sophisticated enough to evade standard detection mechanisms.”
“Mobile app teams today have to complement their source code scanning with mobile app binary scanners that reverse-engineer the app to find vulnerabilities and do dynamic analysis. With vulnerabilities potentially hidden in binary protections, runtime data storage, decryption methods, dynamic code loading, system implementation, API use, and root detection mechanisms, your app security needs a robust defense,” added Vishnubhotla.
Aside from installing a reputable third-party app that tests well for catching malware, the best line of defense for Play Store users is to not download questionable Android apps in the first place. That means carefully scrutinizing off-site reviews from known reputable sources(as malicious apps frequently have lots of astroturfed reviews on the Play Store), and searching for malware warnings for anything that is at all questionable.