A previously unknown form of Android spyware has been discovered in a marketing software development kit used in 101 applications that have been downloaded an estimated 421 million times.

Detailed today by researchers at Doctor Web Ltd., the spyware module called “SpinOk” attracts users through mini-games and promises various types of rewards. Once activated, the spyware connects to a command and control server and transmits detailed technical information about the infected device. SpinOk also attempts to circumvent detection measures, including those used by security researchers, such as detecting emulator environments and ignoring proxy settings.

The module serves ads and augments JavaScript code on loaded webpages to gather a list of files, verify the existence of specific files or directories and copy or replace clipboard contents. Access to such files could lead to the disclosure of confidential data.

Apps infected with SpinOK include Noizz, a video editor with music, and Zapya, a file transfer app, each with 100 million downloads. Other apps affected include video tools VFly, MVBit and Biugo, each downloaded at least 50 million times and various others with downloads ranging from 5 million to 10 million.

“The threat actors have burrowed deeply into a niche of Android games, those focused on making money for the player,” Bud Broomhead, chief executive officer at internet of things security platform company Viakoo Inc., told SiliconANGLE. “It’s likely that they are focused on that niche for a reason, such as observing the transfer of those funds to bank accounts or the likelihood that the player will have specific files that can be further exploited.”

Broomhead noted, though, that the volume of alleged downloads is exceptionally large and may not match reality. “If there are roughly 2 billion Android phones and tablets used around the world and this spyware module has been installed 421 million times, that means roughly one out of five phones is impacted,” Broomhead explained. “If estimates are that 25% of apps are downloaded once and never get used again are accurate, it’s still 316 million ‘active’ downloads.”

Krishna Vishnubhotla, vice president of product strategy at mobile security solutions provider Zimperium Inc., said the case serves as a warning to mobile app developers using software development kits.

“All of them are integrated to accomplish a specific known task, whether free or paid, but no one checks what else the SDK can do, especially when it runs within an app on an end-user device,” Vishnubhotla said. “Malicious actors don’t make this simple either, as most suspicious activity code is downloaded only when certain conditions are met on the device to avoid detection. So the SDK might look benign for the most part to a source code scanner.”

Image: Wikimedia Commons