Android apps with 30 million downloads contain SpinOk Android malware — delete these now

Green skull on smartphone screen.
(Image credit: Shutterstock)

Following the discovery that over a hundred Android apps with 400 million combined downloads actually contained the SpinOk malware, security researchers have now found that an additional 92 apps are also affected.

For those unaware, SpinOk is a spyware module that was being distributed as a software development kit (SDK) for advertisers. First discovered by the antivirus maker Dr. Web, developers unknowingly added it to their apps as a way to insert minigames that provide their users with minigames and “daily rewards” in order to hold their attention.

Unfortunately though, SpinOk is actually a new malware strain that can perform a number of malicious activities in the background, including listing files in directories, searching for particular files, uploading files from an infected smartphone or copying and replacing content from a device’s clipboard. The module’s file exfiltration functionality can be abused to expose private images, videos and documents while the clipboard modification functionality could be used by hackers to steal passwords and credit card data from an infected smartphone.

Although Dr. Web found 101 apps that contain the SpinOk malware, the cybersecurity firm CloudSEK has now discovered an additional 92 infected apps which have been downloaded 30 million times. Also, to make matters worse, 43 of which were still available from the Play Store at the time of writing but Google is likely already working on removing them.

Delete these apps right now

By using the indicators of compromise (IoCs) provided in Dr. Web’s report, CloudSEK was able to find even more Android apps infected with the SpinOk malware according to BleepingComputer. When CloudSEK released its own report on the matter, almost half (43) of these bad apps were still available to download from the Play Store.

Below you’ll find a list of the most popular Android apps which contain the SpinOK malware along with their developers. However, you can find the full list here in the appendix section of CloudSEK’s report.

  • Macaron Match (XM Studio) – 1 million downloads
  • Macaron Boom (XM Studio) – 1 million downloads
  • Jelly Connect (Bling Game) – 1 million downloads
  • Tiler Master (Zhinuo Technology) – 1 million downloads
  • Crazy Magic Ball (XM Studio) – 1 million downloads
  • Happy 2048 (Zhinuo Technology) – 1 million downloads
  • Mega Win Slots (Jia22) – 500,000 downloads

Just like with the previous Android apps infected with the SpinOk malware, it’s very likely that their developers used the malicious SDK as an advertising library while being completely unaware that it was actually malicious.

If you have one of these apps or even several installed on your Android smartphone, it’s highly recommended that you delete them immediately. Their developers are likely working to remove the malicious SDK but it isn’t worth the risk of leaving them on one of the best Android phones at the moment. These apps will likely be fine to reinstall later, once the SpinOK module has been removed.

In a statement to Tom's Guide, a Google spokesperson provided further details on SpinOk, saying: 

“The safety of users and developers is at the core of Google Play. We have reviewed recent reports on SpinOK SDK and are taking appropriate action on apps that violate our policies. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from other sources.” 

How to stay safe from Android malware and malicious apps

Android malware on phone

(Image credit: Shutterstock)

Even the best Android apps can turn malicious overnight thanks to the SpinOk malware and other supply-chain attacks. For this reason, it’s a good idea to limit the number of apps you have installed on your Android smartphone and think twice before adding any new apps.

When you do want to install a new app, you should check its rating and read any reviews carefully while also being aware of the fact that both ratings and reviews can be faked. This is why you also want to look for external reviews and if possible, video reviews that show an app in action.

Likewise, you also want to be careful when installing apps that request unnecessary permissions. For instance, that level or photo-editing app doesn’t likely need to be able to access your contacts and call history to work.

For additional protection from mobile malware and malicious apps, you should consider installing one of the best Android antivirus apps on your phone. If you’re on a tight budget, don’t worry as Google Play Protect (which is free and comes pre-installed on most Android phones) can also scan both your existing apps as well as any new ones you download for malware.

Now that even more apps have been found to contain the SpinOk malware, we’ll likely get an official response from Google soon. In the meantime though, you should delete any of the apps in question if you happen to have them installed on your Android phone or tablet.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.