Hundreds of millions of Android devices may have been infected by a data-stealing malware that was hidden in over 100 apps on the Google Play Store. The malicious software module, or SDK (software development kit), was found in apps that had been downloaded more than 421 million times, according to researchers at Dr. Web.

How did spyware get into the apps?

The developers of the affected apps integrated the SDK into their software to display mini-games that were supposed to keep the user hooked. However, the SDK was not as harmless as it seemed, as it would also carry out a number of other, more sinister activities in the background without the user’s knowledge.

The researchers reported that the treacherous SDK, that they named “SpinOK,” could scan the device for specific files and upload them to a remote server controlled by the attackers. It could also copy and manipulate the clipboard content.

This allowed the SpinOK spyware to steal sensitive information from the users’ devices, such as private photos, videos and documents. The clipboard manipulation functionality could enable the attackers to get ahold of information the user copied, such as passwords, credit card numbers or cryptocurrency wallet addresses. They could then replace the copied data with their own to trick the user into entering wrong information into a payment page or a cryptocurrency app, potentially resulting in unwanted transactions.

Google is supposed to flag apps that contain malicious SDKs as harmful and prevent them from getting listed on its store in the first place. However, some still slip through Google’s review process. This could be because the bad actors behind them use sophisticated techniques to avoid detection. It also does not help that Google is sometimes very slow to respond to reports of malware. According to one study, it can take Google up to two months to remove malware-infected applications from its store.

Which apps are affected?

Dr.Web researchers identified the malicious code in 101 applications. Some of the most popular apps affected have been video editors, including Noizz, VFly, MVBit and Biugo. While some of the apps were still running the poisonous SDK at the time of the report, others have either removed it or have been removed from the store. In some cases, the researchers note, only certain versions of the apps contained the SDK.

AdGuard can protect you

Many people believe that the only way to protect yourself from this kind of malware is to use antivirus software. First, you need be careful when choosing antivirus software — some may not be sophisticated enough to stop all threats and some may be even unsafe themselves, such as malware masquerading as legitimate software. Second, in some cases, such as this one, AdGuard can protect you as well.

AdGuard blocks the SpinOK SDK with its basic filtering rules. This means you don’t need to configure it in a special way, or change your DNS to AdGuard DNS (although you can still do it if you want). Keep in mind, though: AdGuard is not an antivirus. It can prevent malware from reaching your device through infected apps and web pages, but it can’t remove malware that has already infected your device.