We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

SpinOk Malware Found in More Apps with 30M Installs

SpinOk Malware Found in More Apps with 30M Installs
Author Image Husain Parvez
Husain Parvez Published on 8th June 2023 Cybersecurity Researcher

A cybersecurity firm, CloudSEK, has discovered many apps infected with SpinOk malware on the Google Play store after an extensive investigation. Their research team identified 193 infected apps, 43 of which were still active on the Google Play Store within the past week.

The SpinOk Malware was initially discovered in May 2023 by Dr Web, a cybersecurity software company. Appearing as an advertisement software development kit (SDK), it is a trojan that functions as spyware.

According to BleepingComputer, Dr. Web's findings at the time revealed that the malware had been downloaded more than 421 million times through various apps. According to the mobile security company report, SpinOk malware was likely distributed through a supply chain attack targeting the software development kits (SDKs) used by numerous apps.

Initially appearing as an innocuous SDK, the malware operated by offering users daily rewards through mini-games, a legitimate tactic employed by developers to engage their audience. However, in the background, the trojan could pilfer files and copy the contents of the user’s clipboard in an effort to find account credentials and other personal information.

Building upon Dr. Web's May report, CloudSEK utilized the indicators of compromise (IoCs) provided to identify additional SpinOk infections. Through this process, they discovered an extra 92 infected apps, expanding the list of malicious applications to 193. Approximately half of these apps were accessible on the Google Play store.

Among the newly identified apps, HexaPop Link 2248 had the highest downloads, with over 5 million installations. However, it has since been removed from Google Play following CloudSEK's report.

Here are some of the popular Android apps that have been identified as containing the SpinOK malware, along with their developers and the number of downloads:

  • Macaron Match (XM Studio) - 1 million downloads
  • Macaron Boom (XM Studio) - 1 million downloads
  • Jelly Connect (Bling Game) - 1 million downloads
  • Tiler Master (Zhinuo Technology) - 1 million downloads
  • Crazy Magic Ball (XM Studio) - 1 million downloads
  • Happy 2048 (Zhinuo Technology) - 1 million downloads
  • Mega Win Slots (Jia22) - 500,000 downloads

Please note that this is not an exhaustive list. For a comprehensive list of all infected apps, you can refer to the appendix of CloudSEK's report. Speaking to Tom’s Guide over the issue, a Google spokesperson had the following to say:

“The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.”

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.