The 101 apps with which the spyware module was detected have been downloaded a total of 421 million times from the Google Play Store, reports Security company Dr. Web. These apps included Noizz (a video editing app with music), Zapya (a file sharing app), and VFly (also a video editing app). These three apps alone accounted for over 250 million installs.

Apps include the SpinOk module, which adds minigames, slot games, and commercials to apps via a software development kit (SDK). The SDK connects to a central server and can request information about the files on the phone and send files from the device to the server.

The content of the Clipboard app on the device can also be forwarded or replaced. App users were at risk of having their photos, videos, documents, passwords, and payment details stolen, or crypto payments hijacked.

Bypass Google Audit

The SDK also checked several sensors in the Android phone, such as the gyroscope and magnetometer, to ensure that the device wasn’t running in a sandbox environment. Such an environment is often used by researchers to analyze potentially malicious code. This may have caused the apps to pass verification in the Google Play Store.

Doctor Web has notified Google. All but one of the apps have been removed from the Google Play Store or updated without the spyware.

Also listen to our podcast: