SpinOk malware has been found in a new batch of Android apps on Google Play, which is said to have been installed an additional 30 million times.

The discovery comes from CloudSEK’s security team, which reports finding a set of 193 apps containing the malicious SDK, 43 of which were active on Google Play at the time of their discovery last week.

SpinOk on Google Play

SpinOk was first discovered by Dr Web at the end of last month in a set of around 100 apps that had collectively been downloaded more than 421 million times.

As the mobile security company explains in its report, SpinOk was distributed via an SDK supply chain attack that infected many apps and, by extension, breached many Android users.

On the surface, the SDK served mini-games with daily rewards legitimately used by the developers to pique the interest of their users. However, in the background, the Trojan could be used to steal files and overwrite clipboard contents.

CloudSEK used the IoCs provided in Dr. Web’s report to discover more SpinOk infections, expanding the list of bad apps to 193 after discovering 92 more apps. About half of them were available on Google Play.

The most downloaded of the new batch was HexaPop Link 2248, which had 5 million installs. However, in the background, the Trojan is used to steal files and overwrite clipboard contents.

Other popular apps using the SpinOk SDK that remain available for download through Google Play are:

• Macaron Match (XM Studio) – 1 million downloads
• Macaron Boom (XM Studio) – 1 million downloads
• Jelly Connect (Bling Game) – 1 million downloads
• Tiler Master (Zhinuo Technology) – 1 million downloads
• Crazy Magic Ball (XM Studio) – 1 million downloads
• Happy 2048 (Zhinuo Technology) – 1 million downloads
• Mega Win Slots (Jia22) – 500,000 downloads

CloudSEK reports that the number of collective downloads for additional apps equipped with SpinOK reaches over 30,000,000.

It should be noted that the developers of these apps probably used the malicious SDK thinking it was an adware library, unaware that it included malicious functionality.

The complete list of infected applications can be found in the appendix section of The CloudSEK report.

This speaks to the complexity of fully mapping supply chain attacks in large software distribution platforms such as Google Play Store, where locating every project that might be using a particular module is difficult and results in serious delays in the risk resolution process.

CloudSEK notified Google of the new malicious apps it discovered on Friday, June 2, 2023, and BleepingComputer contacted the Android team about it.

Google has yet to respond, and many apps listed in CloudSEK’s report are still available on Google Play at the time of writing.