Supply Chain Attack Infiltrates Android Apps with Malicious SDK

CloudSEK SVigil team’s research found 101 compromised apps with SpinOK Android malware distributed as an advertisement SDK. More worryingly, 43 of these apps are still active on the Play Store, some with 5+ million downloads. In total, we estimate 30 million users to be affected by this additional set of apps. This is on the heels of a recent report published by cybersecurity firm Dr Web which discovered Android.Spy.SpinOk within the supply chain of multiple apps, putting user privacy and security at risk. By understanding the scope of this supply chain threat and implementing necessary security measures, organizations can protect their users’ personal information and privacy in the dynamic landscape of mobile apps.

Analysis

Information from the Blog

Our Research Team came across a blog post mentioning SpinOK Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. The Android.Spy.SpinOk virus detects hidden spyware in marketing modules and the apps they're embedded in. It collects files from Android devices and transfers them to attackers, and can also manipulate clipboard contents.Dr.Web’s team has identified the following Cloudfront URL as one of the network indicator for malware: https[:]//d3hdbjtb1686tn[.]cloudfront[.]net/gpsdk.html , which serves as a crucial indicator of the malware's presence

Leveraging our mobile app supply chain security tools, we began examining the situation and were alarmed to find that this malicious spyware, masquerading as an advertisement SDK, had infiltrated numerous apps in Google Play Store.

Rapidly Spotting Malware-Infected Packages

Using our Bevigil OSINT API's domain to app mapping capabilities we were able to quickly identify which apps contained or previously contained the malicious cloudfront URL. Surprisingly, we discovered an additional 193 applications, extending the initial list of 101 compromised apps provided by Dr Web. Out of the 193 apps identified, our analysis revealed that 43 applications are still available on the Google Play Store. This indicates a wider compromise within the Play Store ecosystem, leaving a larger user base susceptible to potential privacy breaches and data exfiltration.

Analysis of the Malicious SDK

To validate the findings, we manually examined the identified applications, which exhibited similar characteristics as described in Dr Web's report. Our investigation confirmed the presence of the malicious method used to obtain the C&C server's address and various methods used to exfiltrate personal data & files.

Infected App Name	Infected Package ID	Installs	Developer Name
HexaPop Link 2248	com.hexagon.blocks.colorful.resixlink	5,000,000+	simon90tk
Macaron Match	com.macaronmatch.fun.gp	1,000,000+	XM Studio
Macaron Boom	com.macaron.boommatch.gp	1,000,000+	XM Studio
Jelly Connect	com.blast.game.candy.candyblast	1,000,000+	blinggame
Tiler Master	com.tilermaster.gp	1,000,000+	Zhinuo Technology Co., Ltd.
Crazy Magic Ball	com.crazymagicball.gp	1,000,000+	XM Studio
Bitcoin Master	com.cq.merger.ww.bitmerger	1,000,000+	cqwawang
Happy 2048	com.happy2048.mergeblock	1,000,000+	Zhinuo Technology Co., Ltd.
Mega Win Slots	com.carnival.slot.treasure.slotparty	500,000+	Jia22

The magnitude of the situation becomes apparent when we consider the collective user base of approximately 30 million individuals impacted by these compromised apps. Upon careful examination of these potentially compromised applications, it becomes evident that a significant portion of them fall into the category of casual games. Often, users download these apps, engage with them briefly, and subsequently forget about their presence on their devices. In light of this, it is strongly recommended that users consistently employ antivirus software to periodically scan their devices and detect any potential threats lurking within. By taking proactive measures to safeguard their devices, users can protect themselves from the unintended consequences of these infected applications.

YARA Rule for detection

import "androguard"

rule android_spinok : malware
{
   	meta:
description = "AndroidSpinOk Spyware"
condition:
		androguard.url(/d3hdbjtb1686tn\.cloudfront\.net/)
}

Impact & Mitigation

The wide distribution of compromised applications containing the Android.Spy.SpinOk SDK poses grave threats to user privacy and security. With millions of downloads across various applications, the potential scale of data exfiltration, unauthorized surveillance, and compromise of sensitive information is significant.

Organizations must ensure supply chain security seriously and actively implement measures to protect their users from potential threats. This must include

Mitigating Digital Supply Chain Risks: SVigil's Proactive Approach

This report reveals a widespread issue of malware-infected applications in the Play Store, due to the use of a malicious SDK, highlights a critical digital supply chain risk. SVigil is capable of proactively identifying such risks. It detects the use of potentially risky SDKs in app development before they pose a security issue, allowing organizations to respond promptly and efficiently.

In addition, SVigil conducts a thorough analysis of an organization’s entire digital infrastructure. This analysis isn't limited to large components like cloud vendor services; it extends to smaller elements like JavaScript libraries used on a website's frontend. This comprehensive visibility enables organizations to better understand and manage their digital supply chain.

By creating a detailed map of all digital vendors, integrations, dependencies, and plugins used by an organization, SVigil makes it easy for organizations to identify potential vulnerabilities and threats in their digital supply chain.

SVigil ensures robust protection against infrasructure threats, providing detailed insight into third-party dependencies and potential security risks. This includes the ability to spot and mitigate threats from malware stemming from malicious SDKs.

References

Appendix

IOC - List of Live Infected Applications

Infected Package ID
com.hexagon.blocks.colorful.resixlink	com.diamond.block.gp
com.macaronmatch.fun.gp	com.boommatch.hex.gp
com.macaron.boommatch.gp	com.guaniu.deserttree
com.blast.game.candy.candyblast	com.snailbig.gstarw
com.tilermaster.gp	com.tunai.instan.game
com.crazymagicball.gp	com.yqwl.sea.purecash
com.cq.merger.ww.bitmerger	com.block.bang.blockbigbang
com.happy2048.mergeblock	com.chainblock.merge2048.gp
com.carnival.slot.treasure.slotparty	com.snailbig.gstarfeelw
com.holiday2048.gp	com.ccxgame.farmblast
com.richfive.money.sea	com.bubble.connect.bitconnect
com.hotbuku.hotbuku	com.acemegame.luckyslot
com.crazyfruitcrush.gp	com.tianheruichuang.channel3
com.twpgame.funblockpuzzle	com.kitty.blast.lucky.pet.game
com.sncgame.pixelbattle	com.magicballs.games
com.cute.macaron.gp	com.bird.merge.bdrop
com.slots.lucky.win	com.acemegame.luckycashman
com.happy.aquarium.game	free.vpn.nicevpn
com.blackjack.cash.poker	com.vegas.cash.casino
vip.minigame.idledino	com.meta.chip.metachip
com.circus.coinpusher.free	com.guaniu.lightningslots
vip.minigame.RollingBubblePuzzle

Disclaimer: The information provided regarding the number of affected users and the quantity of apps involved in the malware campaign is based on our research conducted as of June 1, 2023 17:00 IST. Please note that these figures are subject to change as further investigations and discoveries are made. We strive to provide accurate and up-to-date information, but it is essential to acknowledge that the dynamic nature of the cybersecurity landscape may influence the statistics and findings over time.