APKPure Android app store and mobile app has been infected with malicious software that downloads trojans to Android devices.
Researchers from security firm Kaspersky discovered the malware and warned users of the dangers of downloading mobile apps from unofficial stores. The official store for Android is Google Play.
“Following a recent investigation, we are sorry to report that APKPure, a popular alternative source of Android apps, was Trojanized and has been distributing other Trojans,” Kaspersky wrote in a blog post.
APKPure app store
APKPure is an open-source service that provides users with direct access to APK (Android app) files and can download APK files to Android devices. Moreover, the service typically hosts free or shareware apps.
Some vendors avoid using Google Play since it requires devices that use Google Mobile Services (GMS) libraries, that is dependent on Google’s infrastructure.
Although APKPure did say their apps are scanned and safe, unfortunately the APKPure version 3.17.18 was likely infected with a malicious advertisement SDK used as an embedded trojan dropper.
As a result, the launched malware components could then download other malware, collect data on devices, open browser tabs and other nefarious actions.
APKPure mobile app
According to Kaspersky, the type of trojan downloaded via an infected APKPure app would depend on the version of Android running on the victim’s phone.
For new phones (i.e., Android 8 or newer), the malware can load Triada trojan modules, that can then be used to buy premium subscriptions and download other malware.
For older phones (i.e., Android 6 or 7), trojans like xHelper can be downloaded, which is much harder to remove. These older versions lack the newer security features and are much easier to root.
“Removing this beast is a real challenge; even a factory reset won’t do it. Armed with root access, xHelper lets attackers do almost anything they want on the device,” Kaspersky warned.
Past mobile malware threats
Earlier last year, security experts from McAfee warned of the rapidly growing threat where cybercriminals targeted mobile phones to manipulate and quickly profit from them.
For instance, apps like HiddenAds malware was being distributed outside of official app stores. Gamers could find these fake apps shared in gaming chat app Discord or via links posted near YouTube videos.
These types of apps typically hide in the background and request advertising to generate profits for the actors.
In another case, a malware family dubbed LeifAccess (or Shopper) used warning messages to scare users such as “security error should be dealt with immediately.” As a result, users could be tricked into clicking and giving the malware permissions on the phone.
In yet another example, cybersecurity experts discovered in February a popular Android app riddled with vulnerabilities had been download one billion times. Attackers exploited the permissions on the SHAREit mobile app to leak sensitive data and remotely execute malicious code. SHAREit is used to share files between Android users and devices.
Mitigations and safeguards
The good news is APKPure confirmed they started working on a fix just a day after Kaspersky informed them of the issue on April 8, 2021.
APKPure published a new update for APKPure App 3.17.19 on April 9, which “fixed a potential security problem, making APKPure safer to use.”
Kaspersky further recommended users follow these safeguards to protect against trojanized malware:
- Use official app stores to download mobile apps.
- Use trusted security solution to scan new downloaded files for malware.
- Keep devices and mobile apps up to date.
- Run mobile anti-virus software and scan device for malware.
- Android app SHAREit vulnerabilities could leak sensitive data and lead to remote code execution
- Hidden mobile app malware threats
- 2020 Threat Landscape Report reveals new themes and evolving threats
- FBI: Beware of banking trojans and fake mobile banking apps
- Eavesdropper vulnerability impacts hundreds of enterprise apps
- GhostClicker adware threat