Application security, Endpoint/Device Security, Vulnerability Management

Millions of Android users at risk from malicious SDK found on Google Play

Google Pixel smartphone

A trojan module and several modifications of it were found distributed via Google Play that could potentially mean that millions of Android users are at risk of a cyberattack.

In a Monday blog post, Dr. Web said the trojan module was distributed as a marketing software development kit (SDK) with at least 421,290,300 downloads on 101 Google Play applications.

Dubbed "Android.Spy.SpinOk," Dr. Web reported that the module was designed to maintain the interest of users via mini-games, a systems of tasks, and various “prizes” and "reward" drawings. Once initialized, the malicious SDK connects to a command-and-control server by sending a request containing a large amount of technical information about the infected device. The trojan module ignores device proxy settings, which lets it hide network connections during a security team’s analysis.

Dr. Web said the module then receives a list of URLs from the server, which it opens in WebView to display advertising banners. The trojan SDK then expands the capabilities of JavaScript code executed on loaded webpages containing ads. It adds many features to the code, including the ability to do the following: obtain the list of files in specified directories; verify the presence of a specified file or a directory on the device; obtain a file from the device; and copy or substitute the clipboard contents.

For mobile app developers, SDKs are integrated to accomplish a specific known task, whether free or paid, said Krishna Vishnubhotla, vice president of product strategy at Zimperium. However, Vishnubhotla said people don’t always check what else the SDK can do, especially when it runs within an app on an end-user device.

“Malicious actors don't make this simple, either, as most suspicious activity code is downloaded only when certain conditions are met on the device to avoid detection,” said Vishnubhotla. “So the SDK might look benign, for the most part, to a source-code scanner. If it’s a proprietary SDK, then you don't have access to the source code to begin with. Today's SDKs are sophisticated enough to evade standard detection mechanisms. Unseen threats are often the most dangerous. For mobile, we must go beyond the surface with the right mobile-focused tools that cover static and dynamic analysis.”

Bud Broomhead, chief executive officer at Viakoo, added that the threat actors have burrowed deeply into a niche of Android games, those focused on allegedly making money for the player. Broomhead said it’s likely that they are focused on that niche for a reason: observing transfer of those funds to bank accounts or the likelihood that the threat actor will have specific files that attackers can further exploit.

Broomhead pointed out that the 421 million-plus downloads figure doesn’t really match reality. He said if there are roughly 2 billion Android phones and tablets used around the world, and this spyware module has been installed 421 million times, that means roughly 1 out of 5 phones are impacted. 

“If estimates are that 25% of apps are downloaded once and never get used again are accurate, it’s still 316 million ‘active’ downloads,” said Broomhead. “Using Wi-Fi may offer some benefits in cases like this. The device traffic may be obscured by the app, but the local router and it’s firewall may offer some traceability and protection. Using multiple layers of network security can help to reduce significant data exfiltration incidents.”

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.