APKPure client app tampered by Hackers to distribute malware and trojan

April 14, 2021
apkpure client tampered triada malware trojan android mobile device

One of the largest app stores outside of the Google Play Store, APKPure, was reported to have been infected with malware recently. The malware can allow hackers and threat actors to plant and distribute trojans into Android phones and other devices. 

This is another supply chain attack with similarities to the recent attack on Gigaset, a German telecom equipment manufacturer. According to the report, the APKPure client version 3.17.18 has been tampered with. It attempts to trick users into downloading and installing malicious apps and packages linked within the malicious code embedded on the APKPure client app.  

The trojan is identified to be a variant of the Android Triada malware family which can download, install, and uninstall the software without the user’s permission.  

 

Further analysis revealed that the tampered APKPure client version 3.17.18 was tweaked to incorporate an SDK that will trigger a trojan dropper designed to deliver other types of malware into the victim’s Android device. 

 

The advertisement SDK can show ads on the lock screen, open browser tabs, and collect and exfiltrate information on the compromised machine. 

Due to the findings, APKPure has released a newer version of the client app, APKPure version 3.17.19, last April 9 that have the malicious components removed. The release also fixed other potential security issues making the app safer to use.  

APKPure is not the only alternative app store outside of the Google Play Store that encountered malware and trojans. Earlier this week, a cybersecurity research firm has disclosed that it found 10 apps that have been compromised with Joker or Bread trojans on apps in AppGallery, Huawei’s application play store. This marks the first time that malware has been detected on Huawei’s official app store.  

The decoys apps that disguise as a virtual keyboard, camera and messaging app that came from three different developers have been analyzed to have hidden codes that will connect to an operator’s command-and-control or C2 server inject additional payloads. These compromised apps have been identified as responsible for subscribing mobile owners to premium mobile services with their consent.  

Below is the list of the 10 compromised apps found in AppGallery: 

  • All-in-One Messenger  
  • Super Keyboard 
  • BeautyPlus Camera 
  • Happy Colour  
  • Camera MX – Photo Video Camera 
  • Fun Color 
  • New 2021 Keyboard 
  • Color RollingIcon 
  • Funney Meme Emoji 
  • Happy Tapping 

 

The same payload capabilities has been found on some Android Joker malware versions that hit Android devices.

About the author

Leave a Reply