The SpinOk malware was found in a new batch of Android apps on Google Play, reportedly installed an additional 30 million times.
The finding comes from CloudSEK’s security team, who report finding a set of 193 apps carrying the malicious SDK, 43 of which were active on Google Play at the time of their discovery last week.
SpinOk on Google Play
SpinOk was first discovered by Dr. Web late last month in a set of a hundred apps that had been collectively downloaded over 421 million times.
As the mobile security company explained in its report, SpinOk was distributed via an SDK supply chain attack that infected many apps and, by extension, breached many Android users.
On the surface, the SDK served mini-games with daily rewards legitimately used by developers to pique the interest of their users. However, in the background, the trojan could be used to steal files and replace clipboard contents.
CloudSEK used the IoCs provided in Dr. Web’s report to uncover more SpinOk infections, extending the list of bad apps to 193 after discovering an additional 92 apps. Roughly half of those were available on Google Play.
The most downloaded of the new batch was HexaPop Link 2248, which had 5 million installations. However, it has been removed from Google Play since CloudSEK compiled its report.
Other popular apps using the SpinOk SDK and which remain available for download via Google Play are:
- Macaron Match (XM Studio) – 1 million downloads
- Macaron Boom (XM Studio) – 1 million downloads
- Jelly Connect (Bling Game) – 1 million downloads
- Tiler Master (Zhinuo Technology) – 1 million downloads
- Crazy Magic Ball (XM Studio) – 1 million downloads
- Happy 2048 (Zhinuo Technology) – 1 million downloads
- Mega Win Slots (Jia22) – 500,000 downloads
CloudSEK reports that the collective download count for the additional SpinOK-ridden apps reaches over 30,000,000.
It should be noted that the developers of these apps likely used the malicious SDK thinking it was an advertising library, unaware that it included malicious functionality.
The full list of infected applications can be found in the appendix section of CloudSEK’s report.
This is a testament to the complexity of fully mapping supply chain attacks in large software distribution platforms such as the Google Play store, where locating every project that might be using a particular module is challenging and leads to severe delays in the risk remediation process.
CloudSEK informed Google about the new malicious apps it discovered on Friday, June 2, 2023, and BleepingComputer contacted the Android team about it.
Google has not responded yet, and many of the apps listed in CloudSEK’s report are still available on Google Play at the time of writing.
Update 6/6 – A Google spokesperson has sent us the following comment:
The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies.
Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.