Hackers Tampered With APKPure Store to Distribute Malware Apps

[mood]

Hackers Tampered With APKPure Store to Distribute Malware Apps

 

 

APKPure, one of the largest alternative app stores outside of the Google Play Store, was infected with malware this week, allowing threat actors to distribute Trojans to Android devices.

 

In an incident that's similar to that of German telecommunications equipment manufacturer Gigaset, the APKPure client version 3.17.18 is said to have been tampered with in an attempt to trick unsuspecting users into downloading and installing malicious applications linked to the malicious code built into the APKpure app.

 

The development was reported by researchers from Doctor Web and Kaspersky.

"This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users' permission," Doctor Web researchers said.

 

According to Kaspersky, the APKPure version 3.17.18 was tweaked to incorporate an advertisement SDK that acts as a Trojan dropper designed to deliver other malware to a victim's device. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said.

 

In response to the findings, APKPure has released a new version of the app (version 3.17.19) on April 9 that removes the malicious component. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

Joker Malware Infiltrates Huawei AppGallery

APKPure is not the only third-party Android app hub to encounter malware. Earlier this week, Doctor Web researchers disclosed it found 10 apps that were compromised with Joker (or Bread) trojans in Huawei's AppGallery, making the first time malware has been detected in the company's official app store.

 

The decoy apps, which took the form of a virtual keyboard, camera, and messaging apps from three different developers, came with hidden code to connect to a command-and-control (C2) server to download additional payloads that were responsible for automatically subscribing device users to premium mobile services without their knowledge.

 

Although the app listings have since been "hidden" from the AppGallery store, users who have previously installed the apps continue to remain at risk until they are removed from their phones. The list of malware apps is below —

• Super Keyboard (com.nova.superkeyboard)
• Happy Colour (com.colour.syuhgbvcff)
• Fun Color (com.funcolor.toucheffects)
• New 2021 Keyboard (com.newyear.onekeyboard)
• Camera MX – Photo Video Camera (com.sdkfj.uhbnji.dsfeff)
• BeautyPlus Camera (com.beautyplus.excetwa.camera)
• Color RollingIcon (com.hwcolor.jinbao.rollingicon)
• Funney Meme Emoji (com.meme.rouijhhkl)
• Happy Tapping (com.tap.tap.duedd)
• All-in-One Messenger (com.messenger.sjdoifo)

 

In addition, the researchers said the same malware payload was "used by some other versions of the Android.Joker, which were spread, among other places, on the Google Play, for example, by apps such as Shape Your Body Magical Pro, PIX Photo Motion Maker, and others." All the apps have been removed from the Play Store.

 

 

Source: Hackers Tampered With APKPure Store to Distribute Malware Apps

[mood]

Android malware found embedded in APKPure store application

 

 

Security researchers found malware embedded within the official application of APKPure, a popular third-party Android app store and an alternative to Google's official Play Store.

 

Android users use the application to install apps and games hosted on APKPure's platform, supposedly identical to those available through the Play Store.

 

The malware was discovered by Kaspersky and Dr.Web malware analysts embedded within an advertisement SDK included with APKPure version 3.7.18.

 

As they discovered, it looks like a variant of the Triada trojan first spotted by Kaspersky in 2016 [1, 2], capable of spamming users of infected devices with ads and deliver additional malware.

 

APKPure interface

 

"The identified malicious code embedded in APKPure operates in the following way: upon launch of the application, the payload is decrypted and launched," Kaspersky said. "It then collects information about the user device and sends it to the C&C server."

 

"Then, a Trojan is loaded that has much in common with the notorious Triada malware, in that it can perform a range of actions - from displaying and clicking ads to signing up for paid subscriptions and downloading other malware."

 

Next, depending on its operators' instructions and monetizing scheme (ads or pay-per-install), it will:

• show ads every time the Android device is unlocked,
• repeatedly open web pages containing ads,
• click the ads to sign up for paid subscriptions,
• install other payloads or potentially malicious software without the users' consent.

The damage inflicted by this trojan varies depending on the Android version running on the compromised devices, ranging from being signed up for paid subscriptions and seeing intrusive ads on current versions to having unremovable malware like xHelper deployed on the system partition.

 

Device information collected by the malware (Kaspersky)

 

While no official download stats are available for the APKPure app, Kaspersky says that it has so far blocked the malware on the devices of 9,380 Android users running its security solutions on their devices.

 

Both Kaspersky and Dr.Web reported their findings to APKPure's developers, who have released APKPure 3.17.19 today without the malicious code.

 

Indicators of compromise, including APKpure app, payload, and malware sample hashes, are available at the end of Kaspersky's report.

 

BleepingComputer has reached out to APKPure's development team for more information but has not heard back.

 

 

Source: Android malware found embedded in APKPure store application