Android apps with spyware installed 421 million times from Google Play


A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.

Security researchers at Dr. Web discovered the spyware module and tracked it as ‘SpinOk,’ warning that it can steal private data stored on users’ devices and send it to a remote server.

The antivirus company says SpinkOk demonstrates a seemingly legitimate behavior, using minigames that lead to “daily rewards” to spark user interest.

“On the surface, the SpinOk module is designed to maintain users’ interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings,” explains Doctor Web’s report.

In the background, though, the trojan SDK checks the Android device’s sensor data (gyroscope, magnetometer) to confirm that it’s not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps.

The app then connects to a remote server to download a list of URLs opened used to display expected minigames.

Mini-games displayed by SDKMini-games displayed by SDK
Source: Dr.Web

While the minigames are displayed to the apps’ users as expected, Dr. Web says that in the background, the SDK is capable of additional malicious functionality, including listing files in directories, searching for particular files, uploading files from the device, or copying and replacing clipboard contents.

The file exfiltration functionality is particularly concerning as it could expose private images, videos, and documents.

In addition, the clipboard modification functionality code allows the SDK’s operators to steal account passwords and credit card data, or hijack cryptocurrency payments to their own crypto wallet addresses.

Dr. Web claims this SDK was found in 101 apps that were downloaded for a cumulative total of 421,290,300 times from Google Play, with the most downloaded listed below:

  • Noizz: video editor with music (100,000,000 downloads)
  • Zapya – File Transfer, Share (100,000,000 downloads; Dr. Web says the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
  • VFly: video editor&video maker (50,000,000 downloads)
  • MVBit – MV video status maker (50,000,000 downloads)
  • Biugo – video maker&video editor (50,000,000 downloads)
  • Crazy Drop (10,000,000 downloads)
  • Cashzine – Earn money reward (10,000,000 downloads)
  • Fizzo Novel – Reading Offline (10,000,000 downloads)
  • CashEM: Get Rewards (5,000,000 downloads)
  • Tick: watch to earn (5,000,000 downloads)

All but one of the above apps have been removed from Google Play, indicating that Google received reports about the malicious SDK and removed the offending apps until the developers submitted a clean version.

A complete list of the apps reportedly using the SDK can be found on Dr. Web’s site.

It is unclear if the publishers of the trojanized apps were deceived by the SDK’s distributor or knowingly included it in their code, but these infections commonly result from a supply-chain attack from a third party.

If you use any of the apps listed above, you should update to the latest version available via Google Play, which should be clean.

If the app isn’t available on Android’s official app store, it is recommended to uninstall them immediately and scan your device with a mobile antivirus tool to ensure that any spyware leftovers are removed.

BleepingComputer has reached out to Google for a statement on this massive infection base, but a comment wasn’t available by publication time.


  • Dr. Technical Photo Dr. Technical – 2 days ago

    What good is it to say an app is “Play Protected” by Google if malware continues to slip through into apps downloaded by users.
    Google’s “seal of approval” means NOTHING! They have failed to do what they say they do.

  • EdwinDavidson Photo EdwinDavidson – 2 days ago

    This is why I avoid Google Android. Each and every audit of it records more and more malware. Google DOES NOT CARE. The numbers keep going up. AND EVEN I CAN SPOT MALWARE GOOGLE ALLOWS WITHOUT CARING MY REPORTS OF IT, after all – who cares.

  • ThomasMann Photo ThomasMann – 2 days ago

    Google ist a billion Dollar company, the idea that their user’s security is one of their top 100 interests, is something that only idiots can believe.

    And the vast majority of those retarded monkeys, who run all over the place staring at the phone in their hands, are the perfect willing “victims”.

    These 421.000.000 are a tip of the iceberg, as it is only ONE of many malwares that make it into their beloved instruments. Without these, their ridiculous lives would not have any meaning at all….

  • kesso101 Photo kesso101 – 2 days ago

    With most users using Android devices. Google needs to step up its game in detecting these malicious applications containing spyware. The vetting of vendors allowed to add their apps to the play store has to be tightened. I know this can be seen as a difficult thing especially considering how much they might lose should app providers/customers leave. The silver line here is most people are android users and that is not going to change anytime soon.

  • aztony Photo aztony – 2 days ago

    Any user relying solely on Google Play Protect to scan their device(s) for malware is putting their device in serious jeopardy.

  • Mahhn Photo Mahhn – 1 day ago

    It’s no joke, that google playstore is by far the largest malware delivery service ever. Joke is that their AI they are using to replace employees, isn’t doing a good job either. Someone needs to add some Ethics subroutines to it’s system.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.29 5M+ Downloads

  • McAfee Consumer Products Removal tool Logo

    McAfee Consumer Products Removal tool

    Version: NA 432,319 Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 23,019 Downloads


Related posts

Brave launches FrodoPIR, a privacy-focused database query system

Sarah Henriquez

NSA shares guidance to help secure OT/ICS critical infrastructure

Sarah Henriquez

AdGuard’s new ad blocker struggles with Google’s Manifest v3 rules

Sarah Henriquez

Leave a Comment