Yet another day, yet another security issue found on Google Play Store.
According to a report from the security research firm Doctor Web, a highly dangerous malware has infected more than 100 apps on Google Play Store. Using a malware dubbed the 'SpinOK', the malware on these many apps have been downloaded by more than 420 million times.
This translates to a humongous number of Android users at risk of cyberthreat.
According to Doctor Web, the malware is advertised as a marketing SDK, a package of marketing functions, like mini games and prize drawings, enticing Android developers to use it to keep visitors using applications for longer periods of time.
But instead of delivering the promises, the developers that were tricked, helped distribute spyware, Doctor Web reported.
"Upon initialization, this Trojan SDK connects to a C2 server by sending a request containing a large amount of technical information about the infected device," the researchers explained. "Included are data from sensors, e.g., gyroscope, magnetometer, etc., that can be used to detect an emulator environment and adjust the module's operating routine in order to avoid being detected by security researchers."
"For the same purpose, it ignores device proxy settings, which allows it to hide network connections during analysis. In response, the module receives a list of URLs from the server, which it then opens in WebView to display advertising banners."
Long story short, SpinOK can effectively turn apps into dropper apps.
What this means, the apps don't necessarily have malicious functions. They only serve as the Trojan horse to install malicious programs, their payloads.
This is the main reason why the apps managed to pass Google Play Store's scrutiny, and managed to infect at least 7 million Android users around the world.
"Malicious actors have been surreptitiously adding a growing number of banking trojans to Google Play Store via malicious droppers this year, proving that such a technique is effective in evading detection," the researchers said.
The 10 most-downloaded compromised Android applications observed by the team at Doctor Web include:
- Noizz: video editor with music (at least 100,000,000 installations).
- Zapya: File Transfer, Share (at least 100,000,000 installations; the Trojan module was present in version 6.3.3 to version 6.4 and, but no longer present in version 6.4.1).
- VFly: video editor & video maker (at least 50,000,000 installations).
- MVBit: MV video status maker (at least 50,000,000 installations).
- Biugo: video maker & video editor (at least 50,000,000 installations).
- Crazy Drop: (at least 10,000,000 installations).
- Cashzine: Earn money reward (at least 10,000,000 installations).
- Fizzo Novel: Reading Offline (at least 10,000,000 installations).
- CashEM: Get Rewards (at least 5,000,000 installations).
- Tick: watch to earn (at least 5,000,000 installations).
The full list of apps is available via this link.
Doctor Web said that it notified Google about the applications distributing the SpinOk Trojan, which were addressed. But unfortunately, users who have already downloaded the apps are still at risk.
The team also said that the vulnerabilities on Android are concerning, saying that according to statistics, every fifth program for Android contains a vulnerability (or, in other words, a "loophole") that lets cybercriminals successfully introduce Trojans onto mobile devices and manipulate them into doing whatever actions they need them to.
In order to stay safe from malicious apps, Android users are recommended to always check app reviews, and know who the developer is.
Users should then apply due diligence when looking into app they wish to download, and always avoid sideloading apps, or downloading apps from unofficial apps stores.