Contents:
The SpinOk malware was discovered in a new batch of Android apps on Google Play, where it was reportedly installed 30 million more times.
The discovery was made by CloudSEK’s security team, who discovered a total of 193 apps containing the malicious software development kit (SDK), 43 of which were active on Google Play at the time of their discovery last week.
Dr. Web first uncovered SpinOk at the end of last month in a collection of 101 apps that had been downloaded over 421 million times in total.
From 101 to 193 Infected Apps
According to the mobile security firm’s report, SpinOk was distributed via an SDK supply chain attack that infected many apps and, as a result, compromised many Android users.
On the surface, the SDK provided mini-games with daily rewards that developers could legitimately use to pique the interest of their users. However, the trojan could be used in the background to steal files and replace clipboard contents.
CloudSEK used the IoCs from Dr. Web’s report to find more SpinOk infections, bringing the total number of bad apps to 193 after discovering an additional 92. Approximately half of them were available on Google Play.
HexaPop Link 2248, with 5 million installations, was the most popular of the new batch. However, since CloudSEK’s report, it has been removed from Google Play, explains Bleeping Computer.
Other popular apps that use the SpinOk SDK and are still available for download on Google Play include:
- Macaron Match (XM Studio) – 1 million downloads
- Macaron Boom (XM Studio) – 1 million downloads
- Jelly Connect (Bling Game) – 1 million downloads
- Tiler Master (Zhinuo Technology) – 1 million downloads
- Crazy Magic Ball (XM Studio) – 1 million downloads
- Happy 2048 (Zhinuo Technology) – 1 million downloads
- Mega Win Slots (Jia22) – 500,000 downloads
According to CloudSEK, the total number of downloads for the additional SpinOK-infected apps has surpassed 30 million.
It should be noted that the developers of these apps most likely mistook the malicious SDK for an advertising library, not realizing it contained malicious functionality.
The full list of infected applications can be found in the report’s appendix section.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.
