SpinOk Trojan Compromises 421 Million Android Devices

Written by

A new Android Trojan has been discovered by security researchers that potentially compromised 421 million devices.

The Doctor Web team unveiled information about the Trojan, dubbed Android.Spy.SpinOk, in an advisory published on Monday.

SpinOk features several spyware functionalities, including file collection and clipboard content capture. The Trojan can be embedded within other apps, which is how it spreads to infect millions of devices.

Read more on Android trojans: New Android Banking Trojan ‘Nexus’ Promoted As MaaS

The SpinOk module appears to offer users engaging features like mini-games, tasks and prize opportunities. However, upon activation, this Trojan SDK establishes a connection to a command and control (C2) server, transmitting extensive technical data about the infected device. 

“The threat actors have burrowed deeply into a niche of Android games, those focused on making money for the player,” said Viakoo CEO, Bud Broomhead.

“It’s likely that they are focused on that niche for a reason, such as observing transfer of those funds to bank accounts or likelihood that the player will have specific files that can be further exploited.”

The data includes information from various sensors (gyroscope, magnetometer, etc.), enabling the module to identify emulator environments and adapt its operations to avoid detection by security researchers.

Additionally, the malware can disregard device proxy settings, thus concealing network connections during analysis. In return, it receives a list of URLs from the server, which it loads in WebView to showcase advertising banners.

Doctor Web experts detected the presence of the Trojan module and its various iterations in several apps available on Google Play. While some still include the malicious software development kits (SDK), others had it only in specific versions or have been completely removed from the platform. 

“For mobile app developers, SDKs are mostly black boxes. All of them are integrated to accomplish a specific known task, whether free or paid. But no one checks what else the SDK can do, especially when it runs within an app on an end-user device,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.

“Malicious actors don't make this simple either, as most suspicious activity code is downloaded only when certain conditions are met on the device to avoid detection.”

Doctor Web said its analysis revealed the Trojan’s existence in 101 apps, totaling 421,290,300 downloads. The firm confirmed they notified Google about the threat.

“The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies.," a Google spokesperson told Infosecurity in an email. "Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.”

This article was updated on June 6th to include Google's comment.

What’s hot on Infosecurity Magazine?