These spyware-riddled Android apps have been installed over 400 million times - here's how to stay safe

Although working as intended on the surface, SpinOK was working in the background to exfiltrate sensitive data from the device it was installed on, exposing users to all kinds of risks, from identity theft, to wire fraud, and more.

Millions of downloads

"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," the researchers noted. 

However, the apps also stole plenty of data. It first analyzes the endpoint’s sensors to make sure it’s not running in a sandbox, and then it connects to a remote server to download a list of URLs which are used to display the minigames. Then, it lists files in directories, looks for certain documents, and copies them to the remote server, meaning it can exfiltrate videos, images, and other sensitive data. 

Furthermore, the malware is capable of monitoring the clipboard, a method often used by threat actors to steal credit card data, passwords, and gain access to cryptocurrency wallets. 

In total, 101 apps had this SDK integrated, and cumulatively, they were downloaded more than 420 million times from Google Play, only. 

The two most popular compromised apps, according to the researchers are Noizz: video editor with music, and Zapya - File Transfer, Share, both of which had more than 100 million downloads. For the latter, the trojan module was found in versions 6.3.3 to 6.4, with version 6.4.1 being clean. 

Other notable mentions include MVBit - MV video status maker, and Biugo - video maker&video editor, with 50 million downloads each. 

Almost all of the apps have since been removed from the Play Store, the publication says, adding that the complete list of apps can be found here.

• Check out the best firewalls right now