Kaspersky experts have found malicious code in version 3.17.18 for the official client of the APKPure app store. To date, products belonging to 9,380 Kaspersky users have detected and blocked the threat.
According to the researchers, the code was found in the advertising library of the application. The code likely appeared there because of the app developers’ partnership with an unscrupulous advertiser. There was a similar case with the CamScanner incident when a new advertising SDK from an unverified source was implemented.
The identified malicious code embedded in APKPure operates in the following way: Upon launch of the application, the payload is decrypted and launched. It then collects information about the user device and sends it to the C&C server. Then, a Trojan is loaded that has much in common with the notorious Triada malware, in that it can perform a range of actions — from displaying and clicking ads to signing up for paid subscriptions and downloading other malware.
Kaspersky discovers 23% of online users always allow apps access to microphones, webcams
Kaspersky foils over 200 million brute-force attacks vs RDP in Southeast Asia last year
Afterward, depending on the response received, the malware can:
- Show ads when the device is unlocked
- Open browser pages with ads repeatedly
- Load additional, executable modules
“Depending on the OS version, the Trojan can inflict various forms of damage on the victim. APKPure users with current Android versions are mostly at risk of having paid subscriptions and intrusive ads appear from nowhere,” Igor Golovin, security expert at Kaspersky. “Users of smartphones who do not receive security updates are less fortunate: in outdated versions of the OS, the malware is capable of not only loading additional apps but installing them on the system partition. This can result in an unremovable Trojan, like xHelper, getting onto the device. We were happy to inform the marketplace about the issue, which resulted in a fix for the version. We urge all APKPure users to immediately update the application to version 3.17.19.”
Kaspersky solutions detected the malicious implant as HEUR:Trojan-Dropper.AndroidOS.Triada.ap.
Kaspersky reported the issue to the marketplace on April 8. The next day, it replied to Kaspersky, saying the issue would be solved in the new version. The fix was done in version 3.17.19, which is already available for download.
In order to stay safe, APKPure users are recommended to:
- Immediately update the application to version 3.17.19
- Scan the system for other Trojans using a reliable security solution, such as Kaspersky Internet Security for Android