SpinOk Malware Found in More Apps with 30M Installs

A cybersecurity firm, CloudSEK, has discovered many apps infected with SpinOk malware on the Google Play store after an extensive investigation. Their research team identified 193 infected apps, 43 of which were still active on the Google Play Store within the past week.

The SpinOk Malware was initially discovered in May 2023 by Dr Web, a cybersecurity software company. Appearing as an advertisement software development kit (SDK), it is a trojan that functions as spyware.

According to BleepingComputer, Dr. Web's findings at the time revealed that the malware had been downloaded more than 421 million times through various apps. According to the mobile security company report, SpinOk malware was likely distributed through a supply chain attack targeting the software development kits (SDKs) used by numerous apps.

Initially appearing as an innocuous SDK, the malware operated by offering users daily rewards through mini-games, a legitimate tactic employed by developers to engage their audience. However, in the background, the trojan could pilfer files and copy the contents of the user’s clipboard in an effort to find account credentials and other personal information.

Building upon Dr. Web's May report, CloudSEK utilized the indicators of compromise (IoCs) provided to identify additional SpinOk infections. Through this process, they discovered an extra 92 infected apps, expanding the list of malicious applications to 193. Approximately half of these apps were accessible on the Google Play store.

Among the newly identified apps, HexaPop Link 2248 had the highest downloads, with over 5 million installations. However, it has since been removed from Google Play following CloudSEK's report.

Here are some of the popular Android apps that have been identified as containing the SpinOK malware, along with their developers and the number of downloads:

• Macaron Match (XM Studio) - 1 million downloads
• Macaron Boom (XM Studio) - 1 million downloads
• Jelly Connect (Bling Game) - 1 million downloads
• Tiler Master (Zhinuo Technology) - 1 million downloads
• Crazy Magic Ball (XM Studio) - 1 million downloads
• Happy 2048 (Zhinuo Technology) - 1 million downloads
• Mega Win Slots (Jia22) - 500,000 downloads

Please note that this is not an exhaustive list. For a comprehensive list of all infected apps, you can refer to the appendix of CloudSEK's report. Speaking to Tom’s Guide over the issue, a Google spokesperson had the following to say:

“The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.”