In a startling revelation that has drawn global attention, the cybersecurity firm CloudSEK recently disclosed that several Android applications hosted on Google Play Store, with collective downloads surpassing 30 million, were found to be tainted with SpinOk malware.
The announcement follows a meticulous investigation by CloudSEK’s research team, where they unearthed a worrying statistic: 193 apps on Google Play Store were infected with SpinOk malware, 43 of which were active within the last week.
Unmasking SpinOk: A Trojan Horse Among Us
Originally discovered by another cybersecurity software firm, Dr Web, in May 2023, the SpinOk malware has demonstrated a remarkable ability to hide in plain sight. The malware, ingeniously veiled as an advertisement software development kit (SDK), is, in reality, a Trojan horse that functions as spyware.
This deceptive scheme is the primary reason for its widespread infiltration. It poses as a legitimate SDK for minigames with enticing daily rewards, duping developers into using the infected kit on their apps and tricking unsuspecting users into downloading and running these compromised apps.
Consequences of SpinOk Infection: A Data Heist
Once it has insinuated itself onto a device, the SpinOk malware ruthlessly steals a wide range of private data, including images, files, and videos. It swiftly transmits this stolen data to a private server. Furthermore, it can hijack payments to cryptocurrency wallets, pilfer payment card details, and snatch login credentials.
The victims, left defenseless, are exposed to devastating outcomes such as identity theft and monetary loss. Hackers might gain access to their personal images, documents, and financial assets.
The Pervasive Reach of SpinOk: A Supply Chain Attack
The staggering number of affected apps can be traced back to the fact that SpinOk malware was propagated via a SDK-based supply chain attack. Developers, unaware of the Trojan horse lurking within, likely downloaded the SDK and inadvertently set the stage for this widespread infiltration.
Google Play Store’s Response: “Taking Appropriate Action”
The Google Play Store, in light of these revelations, has assured that it is taking “appropriate action on apps that violate [its] policies”. Meanwhile, it urges users to rely on Google Play Protect, which flags apps exhibiting malicious behavior on Android devices with Google Play Services, even if they originate from different sources.
From Discovery to Action: The Timeline
In Dr. Web’s initial discovery, the SpinOk malware was found in several hundred apps that collectively had been downloaded over 421 million times. Later, CloudSEK used the indicators of compromise (IoCs) provided in Dr. Web’s report to discover additional infected apps. The list ballooned to 193 when they found an additional 92 compromised apps, half of which were available on Google Play.
Among these, HexaPop Link 2248, which boasted 5 million installations, was the most downloaded, but it has since been removed from Google Play. Other popular apps still available for download, all carrying the malicious SpinOk SDK, include Macaron Match, Macaron Boom, Jelly Connect, Tiler Master, Crazy Magic Ball, Happy 2048, and Mega Win Slots.
The developers behind these apps likely incorporated the malicious SDK unknowingly, believing it to be a simple advertising library. CloudSEK has reported that these additional SpinOk-ridden apps have collectively been downloaded over 30 million times.
This incident underscores the complexity and challenges of tracing supply chain attacks in extensive software distribution platforms like Google Play Store. The task of locating every project using a particular module is demanding and can lead to significant delays in risk mitigation.
