Over 400 million infected with Android spyware — delete these apps right now

One phone with skull and crossbones on screen among several other clean-looking phones.
(Image credit: Marcos_Silva/Shutterstock)

Update: An additional 92 Android apps infected with the SpinOk malware have been discovered by the cybersecurity firm CloudSEK. As this malware can be used to spy on you and steal your data, you're going to want to delete all of these apps now if you happen to have any of them installed on your Android smartphone.

Over 100 Android apps with more than 400 million downloads combined have been infected with a new malware strain that’s being distributed as a software development kit (SDK) for advertisers.

As reported by BleepingComputer, the discovery was made by security researchers at Dr. Web who found a spyware module inside the affected apps that they’ve dubbed ‘SpinOk’. 

The reason this new Android malware is being referred to as spyware is due to the fact that it can steal private data stored on the best Android phones and send it to a remote server controlled by the hackers behind this campaign.

App developers likely added the SpinOk module to their apps, as it appears to be legitimate at first glance and uses minigames to provide users with “daily rewards” with the aim of keeping them interested.

Unfortunately though, SpinOk performs a number of malicious activities in the background while checking an Android device’s sensor data (including its gyroscope and magnetometer) to determine whether or not it’s running on an actual phone.

Reader Offer: Save 68% on Aura identity theft protection

Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.

Preferred partner (What does this mean?)

Delete these apps right now

According to Dr. Web’s report on the matter, the antivirus maker claims to have found 101 apps that were downloaded more than 421 million times from the Google Play Store. Below, you’ll find the affected apps with the most downloads and you can find the full list here:

  • Noizz: video editor with music - 100 million downloads
  • Zapya - File Transfer, Share - 100 million downloads
  • vFly: video editor&video maker - 50 million downloads
  • MVBit - MV video status maker - 50 million downloads
  • Biugo - video maker&video editor - 50 million downloads
  • Crazy Drop - 10 million downloads
  • Cashzine - Earn money reward - 10 million downloads
  • Fizzo Novel - Reading Offline - 10 million downloads
  • CashEM: Get Rewards - 5 million downloads
  • Tick: watch to earn - 5 million downloads

While most of the affected apps have been removed from the Play Store, not all of them have yet. If you have any of these apps installed on your Android smartphone, it’s recommended that you delete them immediately. However, the spyware has been removed in the latest versions of many of these apps, so you could update to the latest version instead of removing them entirely. Still though, it’s probably best you delete these apps for your own safety.

Trojanized SDK 

Once added to one of the affected apps, the trojanized SDK connects to a remote server in order to download a list of websites that are used to display minigames within them.

Although the minigames are displayed within the apps as expected, SpinOk is capable of performing a number of malicious activities in the background that include listing files in directories, searching for particular files, uploading files from an infected smartphone or copying and replacing content from your clipboard.

While the file exfiltration functionality could be used to expose private images, videos and documents, the clipboard modification functionality could allow SpinOk’s creators to steal passwords and credit card data as well as to hijack any payments made using cryptocurrency.

At the moment, it’s still unclear as to whether or not the publishers of these 100+ Android apps were tricked by the distributor of the trojanized SDK or included it in their apps on purpose. However, as BleepingComputer notes, these types of infections are often the result of supply-chain attacks from a third party.

In a statement to Tom's Guide, a Google spokesperson provided further details on what steps the search giant is taking to combat the risk posed by SpinOk, saying:

“The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.” 

How to stay safe from bad apps

A hand holding a phone securely logging in

(Image credit: Google)

When it comes to staying safe from malicious apps, you need to be extremely careful when downloading new apps — even when they come from the Google Play Store. Bad apps manage to slip past Google’s own security checks from time to time which is why you should exercise your best judgment when putting any new app on your phone.

You want to look at an app’s rating on the Play Store and read reviews while being mindful of the fact that both ratings and reviews can be faked. This is why it’s also a good idea to look for external reviews and especially video reviews so that you can see an app in action before installing it.

At the same time, you also want to be careful when using apps that request unnecessary permissions. For instance, that level or photo-editing app doesn’t likely need to be able to access your contacts and call history to work.

For additional protection, you should consider installing one of the best Android antivirus apps on your phone. If you’re on a tight budget though, Google Play Protect comes pre-installed for free on all Android phones and can also scan both your existing apps and any new ones you download for malware.

We’ll likely hear more about SpinOk once Google and others conduct their own investigations into how this trojanized SDK managed to end up inside so many popular Android apps.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.