An SDK module called “SpinOK” used to implement small casino-style mini-games in Android apps is infected with spyware, according to a research report by antivirus company Dr. Web.
The security researchers have uncovered the malicious module in at least 101 Android apps available through the Play Store, once again highlighting the issue of inability to effectively scan many SDKs for threat components. The spyware module targets user files and clipboard contents, and quietly passes information back to a remote server while using an assortment of techniques to evade notice.
Scope of Android spyware infections not fully clear, but hundreds of millions potentially impacted
It is not yet clear exactly how many people were infected or how often the spyware capabilities were actively employed. But based on raw download and install numbers of the Android apps that were infected, up to 421 million could be impacted.
The SpinOK spyware targets user files that the tainted app has permission to access, and the contents of the clipboard, with the capability to ship both off to parts unknown without the user being alerted. At this point Google has forced most of the infected Android apps from the Play Store until they can return with clean updates.
At this point there does not appear to be a pattern to the infections, or signs of a coordinated campaign. An assortment of different app developers and types are infected, indicating that the SpinOK threat actors simply made the spyware generally available and that app developers were not aware that it was tainted when implementing it. SpinOK allows Android apps to implement “wheel spins” and other bonus games, often used as a daily login reward.
Google Play Protect apparently did not pick up on the spyware during the upload and approval process for these apps or on end user devices, highlighting a common problem with the ecosystem: a severe lack of visibility into SDKs if a developer desires to hide their contents and capabilities from view.
Malicious Android apps continue to be rampant on the Play Store
Malicious Android apps are usually developed intentionally from the ground up, but the SpinOK case illustrates a means by which an attacker can potentially piggyback on a legitimate app. In both cases, it remains very possible to get listed on the Play Store. Two of the apps that made use of SpinOK had over 100 million installs, and three more had over 50 million installs.
While malicious SDKs are a leading threat, they are far from the only one. “Lookalike” Android apps that appear to be from legitimate recognizable businesses remain a common problem, especially in popular emerging markets like cryptocurrency and AI chatbots. While Google Play Protect is capable of catching some threats, it is not adequate as a sole security layer for Android device users.