SpinOk spyware is affecting Android smartphones: How it works

SpinOk spyware is affecting Android smartphones: How it works
04 Jun 2023

The security specialists at Dr. Web, in collaboration with BleepingComputer, have discovered a new spyware module named 'SpinOk.'

According to the Russian IT security solutions vendor, the spyware can be incorporated into a variety of apps and mini-games, including those available on the Google Play Store.

Once the malicious software has access to your smartphone, your personal information may be at risk.

Why does this story matter?
Fact

According to researchers, 'SpinOk' is primarily using mini-games/services to infect Android users' devices. Mini-games are quite popular, and millions of users enjoy playing them. The malicious spyware tricks users in such a way that they end up having infected apps on their smartphones for a long time, leading to potential data breaches. The 'SpinOk' spyware-loaded apps have infected over 421 million handsets to date.

How does the spyware spread?
Details

Once a 'SpinOK' spyware-injected app is installed, it attacks the smartphone in the form of an advertisement.

It first connects with a remote server to receive a list of URLs, which it then opens in WebView to display advertising banners for services/mini-games with daily rewards.

While a user interacts with the in-app advertisements, 'SpinOk' performs malicious tasks in the background.

These apps/services have been compromised
More

According to Dr. Web, the trojan SDK carries the name "Android.Spy.SpinOk," and it has been detected in 101 apps available on Google Play Store.

Collectively, the applications have been downloaded over 421,290,300 times by smartphone users.

Here are some of the most popular ones with maximum downloads: Noizz, Zapya, VFly, MVBit, Biugo, Crazy Drop Cashzine, Fizzo Novel, CashEM, and Tick.

Supply-chain attack from a third party might be the cause
Scenario

The infected apps contain different levels of malicious content. While some still pack harmful software or have it in specific versions, others have been removed from Google's Play Store.

It's unclear if the developers/publishers were duped by the Trojan SDK's distributor or if they knowingly included the spyware in their code.

In general, it happens due to a supply-chain attack from a third party.

What if the spyware enters your phone?
Risks

The Trojan SDK can obtain a list of files in specified directories or verify their presence, obtain files from the device, and copy/substitute clipboard contents.

The attack contains data from a gyroscope, magnetometer, etc., to identify an emulator environment and alter the operating routine to evade detection by security researchers.

Post-initialization, it communicates with a C&C server to send the infected device's technical data.

Follow these steps to keep your device protected
Relief

If you've been using any of the infected apps listed previously, you are advised to update it to the most recent version to stay clear.

In case the app is no more available on the Play Store, you should uninstall it from your smartphone right away. Make sure to perform regular antivirus scans too.

Notably, Google is also taking appropriate action against such apps.