Updated: 19.01.2024
We, at Roaster Earn, would like to share our recent case and the complete absence of many legitimate survey applications from the Google Play Store.
We value transparency and professionalism in our communication, and we appreciate your understanding as we navigate through these challenges. On 3rd January 2023, we received a proposal from a third party company called "OKSpin" Their proposal was to implement their gaming platform within our app. According to their invitation, they had already collaborated with over 1000+ developers around the world. With OKSpin, an app can enhance user experiences through various games and activities. Before we implement and work with third party companies, we carefully research and evaluate them. With OKSpin, we found that it's quite popular within our industry and many developers have integrated them within their applications, and some been using them for more than a year.
After conducting further researching, such as talking with fellow developers and looking for positive reviews, we determined the safety of OKSpin. It's worth to note we have also conducted a review of OKSpin in the Wayback Machine and the first available records from their existence were since 20th December, 2021. This means, at the time of our invitation, OKSpin had already been operating for years. Due to technical reasons we were unable to instantly integrate their gaming platform within Roaster Earn. It took few months, and we successfully launched a new app update in April 2023, not knowing that this would be the start of a complete disaster.
Approximately 1 month later, on an early morning, we have received a Policy Violation from Google and our application "Roaster Earn" has been completely suspended from the Google Play Store.
The reason provided: Your app has been suspended and removed as it is not compliant with the Malware policy as it contains an SDK (SpinOK, class name: com.spin.ok.gp) with Malware.
This simply means that a malware has been discovered in OKSpin. After we conducted internal investigation, we found out that an anti-malware company called Doctor Web discovered a new strain of spyware, dubbed “SpinOk,” in more than 100 Android apps. The spyware, which is disguised as an advertising software development kit (SDK), has been downloaded over 400 million times from the Google Play Store.
Hundreds of apps were instantly suspended from the Google Play due to this. The news quickly spread all over the world in multiple media outlets, including: India Today, Tom's Guide and many more. Immediately after our app suspension, we have reached out to OKSpin for more information and they said that their SDK was identified as malicious wrongly. We personally cannot confirm or deny those statements, but it was a fact that our application was no longer available in the Google Play Store, after more than three years of very hard work, dedication, full policy compliant, and always strived to maintain a high standard of quality and security for our app users.
Afterwards we have learned about the official statements from OKSpin, which you can read here: OFFICIAL OKSPIN STATEMENT, and a more technical overview on how they handle data and permission requests: OKSPIN TECHNICAL OVERVIEW
According to the statements report and technical overview from OKSpin, it does not indicate malicious practices, associated with SpinOK SDK
Shortly after our suspension, we have appealed to Google Play that we were unaware of the practices
associated with OKSpin and we requested to resolve the issue by completely removing OKSpin SDK from Roaster Earn.
Our appeal was successful and we were granted with the opportunity to restore our application in the Google Play Store.
Following our app's reinstatement on Google Play, we ceased all communication with OKSpin and terminated all associations with them.
But our issues did not end there. On August 8th 2023, we received another Policy Violation from Google Play, and our application was instantly suspended from the Google Play Store for a second time.
The reason provided by Google was:
Your app contains content or code that isn’t compliant with Google Play’s Developer Distribution Agreement.
We have identified a pattern of high risk of abuse and are taking this action because we have strong indications
that your app contains code or content that doesn't comply with the Developer Program policy.
We conducted a new internal investigation, which involved a complete review of our entire application code/content. Due to many reasons, including finding similar cases and the timing of our second suspension, we have strong reasons to believe, somehow, it is also related or incentivized by the SpinOK SDK issue with package name: com.spin.ok.gp
With the provided reason by Google, they also mentioned: Google Play’s Policy Coverage Page, which specifically states:
We don’t allow apps or app content that undermine user trust in the Google Play ecosystem. In assessing whether to include or remove apps from Google Play, we consider a number of factors including, but not limited to: news reporting, previous violation history...
The SpinOK issue got a very wide response from the media and there is a github list, showing the top 100 "infected" apps
This list is spreading within news articles and for some reason, out of the 100 listed apps, only around 7 are still available in Google Play,
at the time of writing our case. It's worth to note these are apps with millions of downloads and it does not look like their developers would just abandon them, without appealing, for months.
Regardless what reason is provided by Google, we are confident all these new occurances and policy violations
are incentivized by the SpinOK issue
SECOND APPEAL - RESULTS
After 44 Days of Progress, We are thrilled to share the wonderful news that our app, "Roaster Earn," has been successfully reinstated on Google Play. We are deeply thankful for the incredible support we received from our users, and we appreciate your patience throughout this process.
A Lesson Learned: Third-Party SDKs
Our journey through this experience has taught us an invaluable lesson about the importance of carefully evaluating third-party SDKs before integration. While third-party SDKs can offer powerful features and functionalities, they can also introduce unforeseen challenges and risks.
A Word of Caution
For any developer who may come across our case, we would like to emphasize the need for diligence when considering third-party SDKs. Here are a few key takeaways:
Thorough Research: Before integrating any third-party SDK, conduct extensive research on the provider. Check their reputation, reviews, and history to ensure they are trustworthy and align with your app's values.
Understand Permissions: Understand the permissions and access the SDK requires. Ensure they are necessary for your app's functionality and respect user privacy.
Regular Audits: Periodically review and audit your app's dependencies, including third-party SDKs, to ensure they remain secure and compliant with platform guidelines.
Google Play SDK Index: Consider using third-party SDKs that are registered in the Google Play SDK Index. This promotes transparency and professionalism, as well as confidence in the SDK's adherence to best practices.
Our Commitment to Users
We want to assure our users that we remain fully committed to providing a safe and positive experience while completely respecting your privacy rights. We deeply value your trust, and we will continue to work tirelessly to ensure the security and reliability of "Roaster Earn."
Once again, thank you for your unwavering support. We look forward to continuing our journey with you and delivering an even better "Roaster Earn" experience.
What Comes Next?
We will continue investigating the case with SpinOK, and we sincerely hope there won't be a season 3 of our issues. In addition, we are actively preparing and will be sending suggestions to Google Play that will help prevent similar issues from occurring again in the future.
Message to Commercial Third-Party SDKs
We also want to extend a message to all commercial third-party SDK providers. We strongly encourage all commercial third-party SDKs to register their SDK in the Google Play SDK Index. By doing so, you contribute to the promotion of transparency and professionalism within the app development community. Collaboration with Google Play app developers and full transparency in your practices are essential steps toward ensuring a safe and reliable app ecosystem for all users.
Once again, we express our gratitude to all our users for their unwavering support and extend our appreciation to the Google Play Team for their relentless efforts in maintaining the security of the Google Play Store.
UPDATE: 08/10/2023
We have conducted another review in the SpinOK case and we noticed the official Dr. Web website published a new report, on September 15, 2023,
The SpinOk company contacted the Doctor Web company to verify and eliminate the causes of the detection. After verification and correction by the SpinOK company, the software module ( com.spin.ok.gp ) was updated to version 2.4.2 in which the malicious features are absent.
Source: https://news.drweb-av.it/show/?i=14705
UPDATE: 01/19/2024
To clarify, despite the SpinOK upgrade to version 2.4.2 in which the malicious features are absent, according to Doctor Web company, the SpinOK SDK com.spin.ok.gp will never re-appear in any of our applications, there won't be any considerations and all association with OKSpin will remain fully terminated.
OFFICIAL STATEMENT FROM ROASTER EARN
1. Roaster Earn does not contain any malware and is not engaged in any malicious activities. We uphold a rigorous and proactive approach to security and compliance by subjecting Roaster Earn's entire code and content to consistent and thorough reviews. These reviews are conducted both through automated processes and manual examinations to ensure the prevention of any policy violations or data breaches. We understand the importance of safeguarding user data and upholding the highest standards of integrity and trustworthiness in our operations. By conducting regular code and content reviews, we demonstrate our dedication to providing a safe and trustworthy platform for our users.
2. Roaster Earn is a legitimate earning application, offering various games, tasks and offerwalls for users to play and earn rewards.
3.During implementing OKSpin SDK, we were not aware of their requested permissions or their involvement in malicious practices. Our
research have discovered that this company is well known and used in our industry, since late 2021 and according to their invitation, they had already collaborated with more than 1000+ Developers around the world.
4. Following our first Policy Violation, we have completely removed the SpinOK SDK with package name: com.spin.ok.gp from our application Roaster Earn: com.roaster.earn.easy and terminated all association with OKSpin!
5. To proactively prevent future occurrences, we have implemented a comprehensive set of policies to rigorously evaluate potential third-party companies before integrating their services into our applications. These policies encompass a multifaceted approach, which includes seeking Google's consent through various channels. Furthermore, to enhance the accuracy and effectiveness of our decision-making process, we will leverage further the Google Play SDK Index as an additional resource to make more informed and data-driven choices.
These policies are designed to safeguard our organization's interests and uphold our commitment to data security, compliance, and performance.
6. As Developers, we strongly believe that no application/developer was aware of the malicious practices, associated with SpinOK.
We believe everyone implemented OKSpin, thinking is a legitimate platform
7. In addition we want to note, Google Play Protect checks apps when you install them. It also periodically scans your device. If it finds a potentially harmful app, it might:
It's worth noting that, prior to the official launch of OKSpin, we conducted thorough manual testing of the application. During this testing phase, it came to our attention that Google Play Protect did not detect the presence of malware within the application. At the time either Google Play Protect was not functioning correctly or this particular malware had not yet been identified within its database.
We want to clarify that Roaster Earn is dedicated to user safety and data security, and we take all necessary precautions to maintain compliance with Google's policies. Roaster Earn can be safely downloaded and used from our Official Website - https://roasterearn.website
Thank you for reading
Roaster Earn Team