New Spyware ‘SpinOk’ Infected Apps Put Millions of Android Users at Risk - 1

New Spyware ‘SpinOk’ Infected Apps Put Millions of Android Users at Risk

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new software module with spyware capability was recently discovered by security researchers at Doctor Web. Tracked as ‘SpinOk’, the malware was distributed as a marketing software development kit (SDK). It was found in over a 100 Android apps with cumulative downloads of over 420 million.

The module is said to have spyware functionality as it can extract data from users’ devices and transfer them to threat actor controlled and managed remote servers.

The cleverly designed malware at first glance appears to be legitimate and maintains users’ interest through mini-games and daily rewards (alleged).

When activated, it connects to a command-and-control (C2) server and transfers data from the device’s sensors (gyroscope, magnetometer). This helps it detect controlled (sandbox) environment and adjust its operations to avoid being noticed by security researchers. In a related move, SpinOk bypasses proxy settings, thus hiding network connections during analysis. Then it downloads a list of websites from the remote server for displaying the intended advertising banners (minigames).

As expected, these minigames are visible to the app’s users, but the trojan can gather list of files, verify presence of particular files, copy and replace clipboard contents. These malicious activities can help the hackers access any confidential personal and financial data stored on the victim’s device.

This trojan module and numerous modifications was found in several apps with nearly 421,290,300 downloads. Some popular apps found:

  • Noizz: Video editor with music (100 million installations)
  • Zapya: File transfer and share (100 million installations)
  • VFly: Video editor & video maker (50 million installations)
  • MVBit: MV video status maker (50 million installations)
  • Biugo: Video maker & video editor (50 million installations)

As per the experts’ reports, some of the apps still contained the malicious SDK while others either had it in particular versions or were completely removed from Google Play. The firm also said that they had submitted reports about the undiscovered threat to Google.

Dr. Web’s analysts claim to have found this SDK malware in 101 apps with at least 421,290,300 cumulative downloads. Apparently, a complete list of this SDK infected apps can be found on their website .

Bandit Stealer: A New Malware Targeting Crypto Wallets And Web Browsers - 2

Bandit Stealer: A New Malware Targeting Crypto Wallets And Web Browsers

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Bandit Stealer has been discovered by cybersecurity researchers that has the ability to target multiple web browsers and cryptocurrency wallets. At present, it’s focus is Windows, but the malware has the potential to target other platforms as it’s based on the versatile Go programming language, reports Trend Micro.

To infect a Windows device, it uses a command-line utility program called runas.exe that allows users to execute programs as another user with different permissions. This helps it to gain administrative access by bypassing security to collect any personal data of the user.

However, the malware has been failing in its attempt to use this tool. Microsoft’s strict access control mitigation prevents unauthorized use of this function as appropriate credentials are required to execute administrative-level actions. ‘’Bandit Stealer is not successful in utilizing it because they need to provide the appropriate credentials,’’ stated Trend Micro.

Bandit Stealer performs checks to see if it’s running in a sandbox, test, or virtual environment and for this it downloads a blacklist that contains hardware IDs, IP addresses, MAC addresses, usernames, hostnames, and process names. Once this check is complete, the malware terminates the blacklisted processes associated with anti-malware solutions. This process helps it to avoid detection in an infected machine.

Moreover, the malware also establishes persistence by creating a registry entry for autorun in Windows. With this modification, Bandit Stealer successfully starts collecting sensitive personal data from the targeted system including IP location, system configuration, country code and stored financial information from browser and crypto wallets. It can also access user’s Telegram account to perform various malicious activities like impersonation, etc.

This malware can be downloaded by users through attachments in phishing emails, fake installers or visiting malicious websites.

Researchers at Trend Micro have not associated any threat group with this malware on account of ‘’its recent emergence and limited data on its operation’’. However, they believe that this malware can be used by threat actors to carry out identity thefts, data breaches, and other malicious activities.