APKPure, one of the largest alternative app stores outside of
the Google Play Store, was infected with malware this week,
allowing threat actors to distribute Trojans to Android
devices.
In an incident that’s similar to that of German
telecommunications equipment manufacturer Gigaset[1], the APKPure client
version 3.17.18 is said to have been tampered with in an attempt to
trick unsuspecting users into downloading and installing malicious
applications linked to the malicious code built into the APKpure
app.
The development was reported by researchers from Doctor Web[2]
and Kaspersky[3].
“This trojan belongs to the dangerous Android.Triada malware
family capable of downloading, installing and uninstalling software
without users’ permission,” Doctor Web researchers said.
According to Kaspersky, the APKPure version 3.17.18 was tweaked
to incorporate an advertisement SDK that acts as a Trojan dropper
designed to deliver other malware to a victim’s device. “This
component can do several things: show ads on the lock screen; open
browser tabs; collect information about the device; and, most
unpleasant of all, download other malware,” Kaspersky’s Igor
Golovin said.
In response to the findings, APKPure has released a new version
of the app (version 3.17.19) on April 9 that removes the malicious
component. “Fixed a potential security problem, making APKPure
safer to use,” the developers behind the app distribution platform
said[4]
in the release notes.
Joker Malware Infiltrates Huawei AppGallery
APKPure is not the only third-party Android app hub to encounter
malware. Earlier this week, Doctor Web researchers disclosed[5]
it found 10 apps that were compromised with Joker[6]
(or Bread) trojans in Huawei’s AppGallery, making the first time
malware has been detected in the company’s official app store.
The decoy apps, which took the form of a virtual keyboard,
camera, and messaging apps from three different developers, came
with hidden code to connect to a command-and-control (C2) server to
download additional payloads that were responsible for
automatically subscribing device users to premium mobile services
without their knowledge.
Although the app listings have since been “hidden” from the
AppGallery store, users who have previously installed the apps
continue to remain at risk until they are removed from their
phones. The list of malware apps is below —
- Super Keyboard (com.nova.superkeyboard)
- Happy Colour (com.colour.syuhgbvcff)
- Fun Color (com.funcolor.toucheffects)
- New 2021 Keyboard (com.newyear.onekeyboard)
- Camera MX – Photo Video Camera (com.sdkfj.uhbnji.dsfeff)
- BeautyPlus Camera (com.beautyplus.excetwa.camera)
- Color RollingIcon (com.hwcolor.jinbao.rollingicon)
- Funney Meme Emoji (com.meme.rouijhhkl)
- Happy Tapping (com.tap.tap.duedd)
- All-in-One Messenger (com.messenger.sjdoifo)
In addition, the researchers said[7]
the same malware payload was “used by some other versions of the
Android.Joker, which were spread, among other places, on the Google
Play, for example, by apps such as Shape Your Body Magical Pro, PIX
Photo Motion Maker, and others.” All the apps have been removed
from the Play Store.