Android malware with nearly 500 million downloads resides on Google Play

Millions of Android users may be at risk of a Android malware cyberattackand multiple mods on Google Play. In a recent blog post, Dr. Web reported that the Trojan module, “Android.Spy.SpinOk,”. The module is distributed via a marketing software development kit (SDK) on 101 apps from Google Playwith more than 421,290,300 downloads.

How does the SDK work?

The module is designed to engage users through mini-games, tasks, prizes, and reward draws. However, upon activation, this Android Malware Development Kit (SDK) connects to a command and control server (C&C) and sends technical details about the affected device. These details include data from Android device sensors such as the gyroscope and magnetometer. Attackers can use this data to determine if the malware is in an isolated environment that security researchers often use to study potentially harmful Android apps. The Trojan module also ignores the device’s proxy settings, allowing it to hide network connections when scanned by security teams.

How an SDK works
SDK operation scheme

What do the experts say?

According to Dr. Web, a Trojan SDK can execute JavaScript code on web pages that contain advertisements. It allows you to perform various functions, such as get files from the device and copy or replace the clipboard content. The problem is that many mobile app developers need to double check the capabilities of the SDKs they integrate into their apps. Malicious actors take advantage of this, making it difficult to detect your activity code. Mobile-centric tools that cover static and dynamic analysis are needed to combat this. Additionally, threat actors target niche Android games that supposedly generate money for the player, possibly to observe the transfer of funds or exploit specific files.

Bud Broomhead, CEO of Viakoo, notes that the figure of more than 421 million downloads should accurately reflect how many devices are affected. Using Wi-Fi can offer some protection, but multiple layers of network security are required to reduce significant data exfiltration incidents.

How to protect your device from SDK?

To protect your device, update infected apps to the latest version available on Google Play is important. This will ensure that the app is clean and safe to use. If the app is not available on the Google Play Store, it is better to uninstall it immediately. After uninstalling, scan your device with a mobile antivirus to ensure that all traces of spyware have been removed.