Supply Chain Attack Infiltrates Android Apps with Malicious SDK

CloudSEK SVigil team’s research found 101 compromised apps with SpinOK Android malware distributed as an advertisement SDK. More worryingly, 43 of these apps are still active on the Play Store, some with 5+ million downloads.
Updated on
June 5, 2023
Published on
June 2, 2023
Read MINUTES
6
Subscribe to the latest industry news, threats and resources.

CloudSEK SVigil team’s research found 101 compromised apps with SpinOK Android malware distributed as an advertisement SDK. More worryingly, 43 of these apps are still active on the Play Store, some with 5+ million downloads. In total, we estimate 30 million users to be affected by this additional set of apps. This is on the heels of a recent report published by cybersecurity firm Dr Web which discovered Android.Spy.SpinOk within the supply chain of multiple apps, putting user privacy and security at risk. By understanding the scope of this supply chain threat and implementing necessary security measures, organizations can protect their users’ personal information and privacy in the dynamic landscape of mobile apps.

Analysis

Information from the Blog

Our Research Team came across a blog post mentioning SpinOK Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. The Android.Spy.SpinOk virus detects hidden spyware in marketing modules and the apps they're embedded in. It collects files from Android devices and transfers them to attackers, and can also manipulate clipboard contents.Dr.Web’s team has identified  the following Cloudfront URL as one of the network indicator for malware: https[:]//d3hdbjtb1686tn[.]cloudfront[.]net/gpsdk.html , which serves as a crucial indicator of the malware's presence

Leveraging our mobile app supply chain security tools, we began examining the situation and were alarmed to find that this malicious spyware, masquerading as an advertisement SDK, had infiltrated numerous apps in Google Play Store.

Infected Application on Google Play Store

Rapidly Spotting Malware-Infected Packages

Using our Bevigil OSINT API's domain to app mapping capabilities we were able to quickly identify which apps contained or previously contained the malicious cloudfront URL. Surprisingly, we discovered an additional 193 applications, extending the initial list of 101 compromised apps provided by Dr Web. Out of the 193 apps identified, our analysis revealed that 43 applications are still available on the Google Play Store. This indicates a wider compromise within the Play Store ecosystem, leaving a larger user base susceptible to potential privacy breaches and data exfiltration.

Analysis of the Malicious SDK

To validate the findings, we manually examined the identified applications, which exhibited similar characteristics as described in Dr Web's report. Our investigation confirmed the presence of the malicious method used to obtain the C&C server's address and various methods used to exfiltrate personal data & files.

Malware getting the current C&C Server using cloudfront url:

List of Top 10 live infected apps based on installs on Play Store:

Infected App Name

Infected Package ID

Installs

Developer Name

HexaPop Link 2248

com.hexagon.blocks.colorful.resixlink

5,000,000+

simon90tk

Macaron Match

com.macaronmatch.fun.gp

1,000,000+

XM Studio

Macaron Boom

com.macaron.boommatch.gp

1,000,000+

XM Studio

Jelly Connect

com.blast.game.candy.candyblast

1,000,000+

blinggame

Tiler Master

com.tilermaster.gp

1,000,000+

Zhinuo Technology Co., Ltd.

Crazy Magic Ball

com.crazymagicball.gp

1,000,000+

XM Studio

Bitcoin Master

com.cq.merger.ww.bitmerger

1,000,000+

cqwawang

Happy 2048

com.happy2048.mergeblock

1,000,000+

Zhinuo Technology Co., Ltd.

Mega Win Slots

com.carnival.slot.treasure.slotparty

500,000+

Jia22

The magnitude of the situation becomes apparent when we consider the collective user base of approximately 30 million individuals impacted by these compromised apps. Upon careful examination of these potentially compromised applications, it becomes evident that a significant portion of them fall into the category of casual games. Often, users download these apps, engage with them briefly, and subsequently forget about their presence on their devices. In light of this, it is strongly recommended that users consistently employ antivirus software to periodically scan their devices and detect any potential threats lurking within. By taking proactive measures to safeguard their devices, users can protect themselves from the unintended consequences of these infected applications.

YARA Rule for detection

We have created a yara rule to detect this malware in android apps

import "androguard"

rule android_spinok : malware
{
   	meta:
description = "AndroidSpinOk Spyware"
condition:
		androguard.url(/d3hdbjtb1686tn\.cloudfront\.net/)
}

Impact & Mitigation

The wide distribution of compromised applications containing the Android.Spy.SpinOk SDK poses grave threats to user privacy and security. With millions of downloads across various applications, the potential scale of data exfiltration, unauthorized surveillance, and compromise of sensitive information is significant. 

Organizations must ensure supply chain security seriously and actively implement measures to protect their users from potential threats. This must include

  • Conducting thorough code reviews
  • Vetting third-party SDKs
  • Regularly monitoring their apps for any signs of compromise

Mitigating Digital Supply Chain Risks: SVigil's Proactive Approach

This report reveals a widespread issue of malware-infected applications in the Play Store, due to the use of a malicious SDK, highlights a critical digital supply chain risk. SVigil is capable of proactively identifying such risks. It detects the use of potentially risky SDKs in app development before they pose a security issue, allowing organizations to respond promptly and efficiently.

In addition, SVigil conducts a thorough analysis of an organization’s entire digital infrastructure. This analysis isn't limited to large components like cloud vendor services; it extends to smaller elements like JavaScript libraries used on a website's frontend. This comprehensive visibility enables organizations to better understand and manage their digital supply chain.

By creating a detailed map of all digital vendors, integrations, dependencies, and plugins used by an organization, SVigil makes it easy for organizations to identify potential vulnerabilities and threats in their digital supply chain.

SVigil ensures robust protection against infrasructure threats, providing detailed insight into third-party dependencies and potential security risks. This includes the ability to spot and mitigate threats from malware stemming from malicious SDKs.

References

  • https://news.drweb.com/show/?i=14705&lng=en
  • https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-installed-421-million-times-from-google-play/

Appendix

IOC - List of Live Infected Applications

Infected Package ID

com.hexagon.blocks.colorful.resixlink

com.diamond.block.gp

com.macaronmatch.fun.gp

com.boommatch.hex.gp

com.macaron.boommatch.gp

com.guaniu.deserttree

com.blast.game.candy.candyblast

com.snailbig.gstarw

com.tilermaster.gp

com.tunai.instan.game

com.crazymagicball.gp

com.yqwl.sea.purecash

com.cq.merger.ww.bitmerger

com.block.bang.blockbigbang

com.happy2048.mergeblock

com.chainblock.merge2048.gp

com.carnival.slot.treasure.slotparty

com.snailbig.gstarfeelw

com.holiday2048.gp

com.ccxgame.farmblast

com.richfive.money.sea

com.bubble.connect.bitconnect

com.hotbuku.hotbuku

com.acemegame.luckyslot

com.crazyfruitcrush.gp

com.tianheruichuang.channel3

com.twpgame.funblockpuzzle

com.kitty.blast.lucky.pet.game

com.sncgame.pixelbattle

com.magicballs.games

com.cute.macaron.gp

com.bird.merge.bdrop

com.slots.lucky.win

com.acemegame.luckycashman

com.happy.aquarium.game

free.vpn.nicevpn

com.blackjack.cash.poker

com.vegas.cash.casino

vip.minigame.idledino

com.meta.chip.metachip

com.circus.coinpusher.free

com.guaniu.lightningslots

vip.minigame.RollingBubblePuzzle






Disclaimer: The information provided regarding the number of affected users and the quantity of apps involved in the malware campaign is based on our research conducted as of June 1, 2023 17:00 IST. Please note that these figures are subject to change as further investigations and discoveries are made. We strive to provide accurate and up-to-date information, but it is essential to acknowledge that the dynamic nature of the cybersecurity landscape may influence the statistics and findings over time.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations