Skip to content

SpinOk

SpinOk is a malicious advertising SDK that was embedded in over 190 legitimate Android applications on Google Play, accumulating more than 421 million downloads before discovery. Marketed by a company called OKSpin as a mobile engagement platform offering mini-games and reward systems, the SDK secretly exfiltrated files, clipboard contents, and device telemetry to remote servers. This was not standalone malware but a supply chain compromise: app developers integrated the SDK believing it was a legitimate advertising library.

Overview

Attribute Details
First Seen May 2023 (Dr.Web discovery)
Status Remediated (SDK updated to remove spyware in v2.4.2)
Type Malicious SDK, supply chain compromise, spyware
Aliases SpinOK, OKSpin SDK
Attribution OKSpin (okspin.tech)
Distribution Embedded in legitimate Google Play apps via SDK integration

Vendor Names

Vendor Detection Name
Dr.Web Android.Spy.SpinOk.1 through Android.Spy.SpinOk.5
ESET A Variant Of Android/Spy.SpinOk.A
Microsoft TrojanSpy:AndroidOS/SpinOK.C
Sophos Andr/SpinOK-A

Origin and Lineage

Dr.Web discovered SpinOk in May 2023, identifying 101 affected applications with a combined 421 million downloads on Google Play. The SDK was marketed by OKSpin as a legitimate monetization tool offering mini-games with daily reward systems that app developers could integrate to boost user engagement and retention.

CloudSEK subsequently identified 92 additional affected apps in June 2023, bringing the total to approximately 193 apps with over 451 million combined downloads. At the time of CloudSEK's discovery, 43 of these apps were still active on Google Play.

The SDK's spyware functionality was hidden behind its legitimate advertising facade. App developers voluntarily integrated it into their apps for monetization, unaware that it was harvesting user data and exfiltrating files in the background.

Distribution

SpinOk was not distributed directly to users. It reached devices through a supply chain attack:

  1. OKSpin marketed the SDK to mobile app developers as a monetization/engagement tool
  2. Developers integrated it into their apps, unaware of hidden spyware functionality
  3. Apps were published to Google Play through normal channels
  4. The SDK appeared legitimate on the surface with functional mini-games and reward systems

Affected Apps

App Downloads
Noizz (video editor with music) 100,000,000+
Zapya (file transfer, share) 100,000,000+
VFly (video editor & maker) 50,000,000+
MVBit (MV video status maker) 50,000,000+
Biugo (video maker & editor) 50,000,000+
Crazy Drop 10,000,000+
Cashzine (earn money reward) 10,000,000+
Fizzo Novel (reading offline) 10,000,000+

Categories of affected apps included casual games, file transfer utilities, video editors, novel readers, and reward/cashback apps.

Capabilities

Data Collection

Capability Implementation
File enumeration Lists files in specified directories on the device
File exfiltration Extracts and uploads files (images, videos, documents) to remote servers
Clipboard theft Reads, copies, and replaces clipboard contents (passwords, crypto addresses, credit card numbers)
Device fingerprinting Sends detailed technical device information to C2 on initialization
Sensor fingerprinting Reads gyroscope and magnetometer data for environment detection

JavaScript Bridge Abuse

The SDK loads content in WebView and extends the JavaScript execution environment with capabilities to:

  • Enumerate files in specified directories
  • Verify presence of specific files or directories
  • Extract and upload files from the device to remote servers
  • Read and replace clipboard contents

This JavaScript bridge is the primary mechanism for data theft. The C2 server sends instructions through the WebView content that invoke these native capabilities.

Technical Details

C2 Communication

On initialization, the SDK connects to its C2 infrastructure and sends a request containing detailed device technical information. The C2 responds with a list of URLs that the SDK opens in WebView to display advertising banners. These loaded pages contain the JavaScript that invokes the spyware functionality through the exposed native bridge.

Known C2 infrastructure includes CloudFront-hosted endpoints (d3hdbjtb1686tn.cloudfront.net/gpsdk.html).

Anti-Analysis

Technique Details
Sensor fingerprinting Checks gyroscope and magnetometer data to detect emulator/sandbox environments; alters behavior if virtualized environment detected
Proxy bypass Ignores device proxy settings to hide network connections during analysis, defeating traffic interception tools

Notable Campaigns

May 29, 2023: Dr.Web publishes the initial discovery, identifying 101 affected apps with 421 million combined downloads. BleepingComputer and Infosecurity Magazine publish follow-up coverage.

June 2023: CloudSEK discovers 92 additional affected apps, expanding the total to 193 apps with over 451 million downloads.

H2 2023: ESET's threat report ranks SpinOk 7th in Top 10 Android detections, accounting for nearly one-third of all spyware detections in H2 2023.

September 2023: OKSpin contacts Dr.Web to address the detection and subsequently updates the SDK to version 2.4.2, removing all spyware features.

IOCs

Dr.Web published a full IOC set on GitHub containing 76 package names with corresponding SHA-1 hashes. CloudSEK created a YARA rule targeting the CloudFront domain pattern (d3hdbjtb1686tn.cloudfront.net) for identification in Android APKs.

SpinOk represents the same class of supply chain compromise as Goldoson, another malicious SDK discovered embedded in legitimate Google Play apps. Both were marketing/advertising SDKs that secretly collected device data and operated through JavaScript bridges in WebView. The key difference is scale: SpinOk affected 421M+ downloads compared to Goldoson's 100M+.

The Necro trojan also used SDK-based supply chain compromise through the Coral SDK, though Necro's SDK was more overtly malicious with ad fraud and payload downloading capabilities.

References