CloudSEK’s security team has detected the presence of the SpinOk malware in a fresh batch of Android apps on Google Play, revealing that it has been installed an additional 30 million times. Out of the 193 apps carrying the malicious software development kit (SDK) that were identified, 43 were actively available on Google Play when discovered.
SpinOk, first discovered by Dr. Web, spreads through an SDK supply chain attack and poses as legitimate mini-games, while secretly compromising user data by stealing files and manipulating clipboard contents.
CloudSEK utilized indicators of compromise (IoCs) provided in Dr. Web’s report to uncover more SpinOk infections, increasing the list of compromised apps to 193 by discovering an additional 92 apps. Approximately half of these malicious apps were still accessible on Google Play.
The most widely downloaded app among the new batch was HexaPop Link 2248, which had accumulated 5 million installations before being removed from the platform.
The SpinOk SDK has been utilized by several other popular apps, such as Macaron Match, Macaron Boom, Jelly Connect, Tiler Master, Crazy Magic Ball, Happy 2048, and Mega Win Slots. CloudSEK reports that the combined download count for these additional apps with SpinOk exceeds 30 million.
Notably, the developers of these apps were likely unaware that the SDK contained malicious functionality and mistakenly used it, believing it to be an advertising library.
This incident underscores the challenges of mapping and mitigating supply chain attacks on large software distribution platforms like Google Play.
CloudSEK promptly informed Google about the newly discovered malicious apps, but as of the time of writing, Google has not responded, and many of the apps listed in CloudSEK’s report are still available for download on Google Play, indicating a need for swift action and improved security measures.
