Android Malware With Almost 500M Downloads Resides in Google Play

Millions of Android users at risk from malicious SDK found on Google Play
Malicious SDK found on Google Play endangers millions of Android users

Millions of Android users may be at risk of a cyberattack because of Android malware, and multiple modifications on Google Play. In a recent blog post, Dr. Web reported that the trojan module, “Android.Spy.SpinOk,”. The module distributes via a marketing software development kit (SDK) on 101 Google Play applications, with over 421,290,300 downloads.

How does the SDK work?

The module is designed to engage users through mini-games, tasks, prizes, and reward drawings. However, upon activation, this Android malware development kit (SDK) connects to a command and control server (C&C) and sends technical details about the affected device. These details include data from Android device sensors like the gyroscope and magnetometer. Attackers can use this data to determine if the malware is in a sandbox environment that security researchers often use to study potentially harmful Android apps. The trojan module also ignores device proxy settings, allowing it to conceal network connections when security teams analyze it.

How an SDK works
SDK operation scheme

What do the experts say?

According to Dr. Web, a trojan SDK can execute JavaScript code on web pages containing ads. It allows it to perform various functions, such as obtaining files from the device and copying or substituting clipboard contents. The problem is that many mobile app developers need to thoroughly check the capabilities of the SDKs they integrate into their apps. Malicious actors take advantage of this, making detecting their activity code difficult. Mobile-focused tools that cover static and dynamic analysis are needed to combat this. In addition, the threat actors focus on a niche of Android games that allegedly make money for the player, possibly to observe the transfer of funds or exploit specific files.

Bud Broomhead, CEO at Viakoo, notes that the 421 million-plus downloads figure must accurately reflect how many devices are impacted. Wi-Fi usage may offer some protection, but multiple layers of network security are necessary to reduce significant data exfiltration incidents.

How to protect your device from SDK?

To protect your device, updating infected apps to the latest version available on Google Play is important. This will ensure that the app is clean and safe to use. If the app is unavailable on the Google Play Store, it is best to uninstall it immediately. After uninstalling, scan your device with a mobile antivirus to ensure that all traces of spyware have been removed.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *