Comodo Forums Data Breach – Approximately 245,000 Users Affected

APKPure is a popular third-party Android app store and an alternative to Google’s official Play Store was infected with malware this week, allowing threat actors to distribute Trojans to Android devices.

Kaspersky and Dr.Web malware analysts revealed that the trojan had emerged in the APKPure client version 3.17.18.

The analysis says that the app has a valid developer’s signature, it signifies that the trojan was intentionally embedded by unidentified insiders, or that a hack took place and the attackers gained access to the app store developers’ internal resources.

What is APKPure for?

The most official of all Android app stores is, of course, Google Play. But it is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. One prominent disadvantage for the users is a loss of access to Google’s app store, where Android users can download the common apps.

APKPure hosts only free or shareware apps. The owners stress that the apps in their store have all been scanned by Google and are completely safe; their apps are the same as the ones on Google Play.

What happened with APKPure?

The incident hits strongly the CamScanner episode, in which the app’s developers implemented an advertisement SDK from an unverified source and it turned out to be malicious. That’s also how the malware got into APKPure.

The Kaspersky experts say that “the APKPure version 3.17.18 was likewise fitted with an advertisement SDK, one with an embedded Trojan dropper, which is detected as HEUR:Trojan-Dropper.AndroidOS.Triada.ap. When launched, it unpacks and runs its payload, which is the dangerous part.”

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware.

What can happen to a device with APKPure Installed?

Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released and the user installed security updates.

If the user has a comparatively recent version of the operating system, that is Android 8 or higher, which doesn’t hand out root permissions in any case, then it loads additional modules for the Triada Trojan.

If the device is older, running Android 6 or 7, and without security updates installed and thus more easily rootable, it could be the xHelper Trojan(lets attackers do almost anything they want on the device).

Fixes Available

APKPure confirm that the problem has indeed been fixed: APKPure 3.17.19 doesn’t contain the malicious component. It is safe to use.

“Fixed a potential security problem, making APKPure safer to use,” reads the release note of the new version.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.