Multiple security experts discovered threat actors tampered with the APKPure client version 3.17.18 of the popular alternative third-party Android app store.
APKPure is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure.
The tainted client downloads and installs various apps, including other malicious payloads.
“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web.
The analysis of the code of the client revealed that attacker modified it by injecting the Android.Triada malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.
The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, it allows threat actors to download, install/uninstall payloads without users’ permission.
Researchers from Kaspersky pointed out that attackers compromised the APKPure version 3.17.18 with a tainted advertisement SDK.
“Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released — and the user installed — security updates.” states Kaspersky.
“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.”
APKPure has solved the problem with the release of the version 3.17.19, on April 9.
“Fixed a potential security problem, making APKPure safer to use,” reads the release note of the new version.
This week another supply chain attack made the headlines, the German device maker Gigaset announced that threat actors compromised at least one server of the company to deliver malware.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, supply chain attack)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.