CloudSEK SVigil team’s research found 101 compromised apps with SpinOK Android malware distributed as an advertisement SDK. More worryingly, 43 of these apps are still active on the Play Store, some with 5+ million downloads. In total, we estimate 30 million users to be affected by this additional set of apps. This is on the heels of a recent report published by cybersecurity firm Dr Web which discovered Android.Spy.SpinOk within the supply chain of multiple apps, putting user privacy and security at risk. By understanding the scope of this supply chain threat and implementing necessary security measures, organizations can protect their users’ personal information and privacy in the dynamic landscape of mobile apps.
Information from the Blog
Our Research Team came across a blog post mentioning SpinOK Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. The Android.Spy.SpinOk virus detects hidden spyware in marketing modules and the apps they're embedded in. It collects files from Android devices and transfers them to attackers, and can also manipulate clipboard contents.Dr.Web’s team has identified the following Cloudfront URL as one of the network indicator for malware: https[:]//d3hdbjtb1686tn[.]cloudfront[.]net/gpsdk.html , which serves as a crucial indicator of the malware's presence
Leveraging our mobile app supply chain security tools, we began examining the situation and were alarmed to find that this malicious spyware, masquerading as an advertisement SDK, had infiltrated numerous apps in Google Play Store.
Rapidly Spotting Malware-Infected Packages
Using our Bevigil OSINT API's domain to app mapping capabilities we were able to quickly identify which apps contained or previously contained the malicious cloudfront URL. Surprisingly, we discovered an additional 193 applications, extending the initial list of 101 compromised apps provided by Dr Web. Out of the 193 apps identified, our analysis revealed that 43 applications are still available on the Google Play Store. This indicates a wider compromise within the Play Store ecosystem, leaving a larger user base susceptible to potential privacy breaches and data exfiltration.
Analysis of the Malicious SDK
To validate the findings, we manually examined the identified applications, which exhibited similar characteristics as described in Dr Web's report. Our investigation confirmed the presence of the malicious method used to obtain the C&C server's address and various methods used to exfiltrate personal data & files.
Malware getting the current C&C Server using cloudfront url:
List of Top 10 live infected apps based on installs on Play Store:
The magnitude of the situation becomes apparent when we consider the collective user base of approximately 30 million individuals impacted by these compromised apps. Upon careful examination of these potentially compromised applications, it becomes evident that a significant portion of them fall into the category of casual games. Often, users download these apps, engage with them briefly, and subsequently forget about their presence on their devices. In light of this, it is strongly recommended that users consistently employ antivirus software to periodically scan their devices and detect any potential threats lurking within. By taking proactive measures to safeguard their devices, users can protect themselves from the unintended consequences of these infected applications.
YARA Rule for detection
We have created a yara rule to detect this malware in android apps
Impact & Mitigation
The wide distribution of compromised applications containing the Android.Spy.SpinOk SDK poses grave threats to user privacy and security. With millions of downloads across various applications, the potential scale of data exfiltration, unauthorized surveillance, and compromise of sensitive information is significant.
Organizations must ensure supply chain security seriously and actively implement measures to protect their users from potential threats. This must include
- Conducting thorough code reviews
- Vetting third-party SDKs
- Regularly monitoring their apps for any signs of compromise
Mitigating Digital Supply Chain Risks: SVigil's Proactive Approach
This report reveals a widespread issue of malware-infected applications in the Play Store, due to the use of a malicious SDK, highlights a critical digital supply chain risk. SVigil is capable of proactively identifying such risks. It detects the use of potentially risky SDKs in app development before they pose a security issue, allowing organizations to respond promptly and efficiently.
By creating a detailed map of all digital vendors, integrations, dependencies, and plugins used by an organization, SVigil makes it easy for organizations to identify potential vulnerabilities and threats in their digital supply chain.
SVigil ensures robust protection against infrasructure threats, providing detailed insight into third-party dependencies and potential security risks. This includes the ability to spot and mitigate threats from malware stemming from malicious SDKs.
IOC - List of Live Infected Applications
Disclaimer: The information provided regarding the number of affected users and the quantity of apps involved in the malware campaign is based on our research conducted as of June 1, 2023 17:00 IST. Please note that these figures are subject to change as further investigations and discoveries are made. We strive to provide accurate and up-to-date information, but it is essential to acknowledge that the dynamic nature of the cybersecurity landscape may influence the statistics and findings over time.