Supply Chain Attacks and the SpinOk Malware

We Don't Byte!: A Cybersecurity Digest

We Don’t Byte, Ep. 1  •  Karan Gupta

Researchers have uncovered malware found in a set of Android apps that, collectively, have been downloaded over 450 million times. There’s a few security concepts we can explain here (supply chain attacks!), so let’s dive in!

🗺️ The Overview

First discovered by researchers at Dr. Web, the SpinOk malware is something called a supply-chain attack.

🤔 Supply-chain attacks? When thinking cyberattacks, you might assume direct attacks—attacks that target the victim directly. For instance, attacking a company’s networks or DDoSing its website (think of this as “spamming” the website, except on a MASSIVE scale—enough to overwhelm it completely).

But supply-chain attacks take a stealthier route. Many software products—say, an app—aren’t developed 100% from scratch. Most also use software that’s already been developed by other vendors (companies)—and that makes sense! If you’re developing a racing game and someone’s already developed software to, for example, display 3D graphics, why reinvent the wheel?

Supply-chain attacks take advantage of this. Attackers plant malware in 3rd-party software (software that’s been developed by someone else). That means every larger piece of software that uses the 3rd-party software also gets “infected” with the malware. Oftentimes, these infected 3rd-party softwares are Trojans—software that seems to legitimately do its job, but secretly contains malware (inspired by the Trojan Horse!). That makes supply chain attacks especially hard to detect.

It’s important to note that, in most cases, the victim softwares aren’t Trojans themselves. They are usually legitimate products whose developers trust the 3rd-party software they use. Unfortunately for them, supply chain attackers take advantage of that trust.

In this case, SpinOk is the Trojan software, while the victims are legitimate Android apps. Specifically, SpinOk is an SDK that helps Android apps offer daily rewards and prizes to their users. (Ever had to spin a wheel to receive a “daily prize” in a mobile game?  Yeah, that.)

🤔 SDKs? SDK is short for software development kit. It’s a kind of 3rd-party software that’s made specifically to help other developers. In this case, the SpinOK SDK allows app developers to add rewards, prizes, and giveaways to their Android apps without having to code these features themselves.).

Like all Trojans, the SDK does its job well—which explains why it’s used by over 100 apps. But once activated, it starts doing a few suspicious things behind the scenes. Let’s break down some of the specifics identified in the Dr. Web report.

🔎 The Specifics

Aside from the rewards and prizes, the SpinOk SDK helps apps display advertisements. But this is where the software starts acting pretty suspiciously. Let’s look at what it does:

1. Contacts the C&C computer. The first thing the SpinOk code does once activated is connect to something called the command & control server.

🤔 C&C Server? A command and control (C&C) server is a computer controlled by attackers that can issue commands to malware running on infected devices.

Take an example: let’s say you unknowingly download malware from a random website onto your computer. Once the malware is running, the attacker (likely the person who put the malware on the website in the first place) could use a C&C server to control the malware remotely, and command it to steal a certain file on your computer, for example.

Back to SpinOk. When it connects to the C&C server, it sends a request—disguised as a legitimate message needed to start displaying mobile ads—and includes a large amount of information about the victim device (for instance, its carrier, serial number, and even data from its sensors).

2. Opens up a WebView. After connecting to the C&C server, the malware takes a few seemingly “normal” steps to start displaying ads; it opens something called a WebView—an Android component that’s like a mini web browser. It’s commonly used to display ads inside Android apps. 

But this opens a dangerous loophole: the WebView allows the malware to run code it previously didn’t have the permissions for. For example, if the malware tried to run a command like listFiles()—which lists files on the victim devices—just by itself, it would be denied, as the Android OS has protections against accessing such sensitive information. But by running the same command in a WebView, the malware can get around these restrictions!

That might be a little complicated, but the gist is that a loophole in WebViews allows the SpinOk malware to access things it shouldn’t be able to see.

3. Accesses and alters sensitive data. At this point, the malware can do a lot of unauthorized things, including:

  • listFiles(): Listing sensitive files on the victim device
  • getFileContent(): Accessing these sensitive files
  • readClipboard(): Reading the clipboard (basically read what the user has copied and pasted, which very often includes sensitive data like passwords, credit card numbers, addresses, phone numbers, etc)
  • pushEvent(): Data exfiltration (in other words, removing data from the victim device and sending it somewhere else—in this case, to the C&C server, and into the hands of the attacker)

So it’s pretty clear that the SpinOk malware puts a LOT of sensitive user data at risk of being exposed.

🧑🏿‍⚖️ The Implication

Unfortunately, researchers from Dr. Web and CloudSEK estimate that the SpinOk malware has been downloaded over 450 million times, with 193 apps carrying it—43 of which can actually be found on the Google Play Store. These aren’t small apps, either; several of them have been downloaded at least 1 million times. That’s a lot of potential data leaks.

Google has since taken appropriate action to remove infected apps from the Google Play store, but the massive proliferation of the SpinOk malware remains a great example of the dangers of supply chain attacks. 🔥