Malware Found Embedded Within APKPure
The Popular Third Party App Seems to Be a Variant of the Triada Trojan.
APKPure was created in 2014 with the purpose of allowing Android users access to a vast bank of Android apps and games, that no longer exist on Android’s official app store Google Play, and later launched an Android app that was serving as its own app store and allowing users to download older apps directly to their Android devices.
The malware was caught by analysts at Kaspersky, that noticed its existence within an advertisement SDK included with APKPure in version 3.7.18.
The malware looks like a variant of the Triada trojan first spotted by Kaspersky in 2016 and is capable of spamming users of infected devices with ads in order to better deliver additional malware.
The identified malicious code embedded in APKPure operates in the following way: upon launch of the application, the payload is decrypted and launched. It then collects information about the user device and sends it to the C&C server.
Then, a Trojan is loaded that has much in common with the notorious Triada malware, in that it can perform a range of actions – from displaying and clicking ads to signing up for paid subscriptions and downloading other malware.
From this point on, depending on the operators’ instructions and the scheme used for monetization, it will do one of the following actions:
- show ads when the Android device is unlocked;
- open web pages containing ads repeatedly;
- click ads and in this way sign you up for paid subscriptions;
- install other payloads or potentially malicious software without consent.
The severity of the damage that this trojan can inflict varies depending on the Android version that’s running in that specific device, and it can range from being signed up for paid subscriptions and seeing intrusive ads on current versions to having unremovable malware like xHelper deployed on your system partition.
While no official download stats are available for the APKPure app, Kaspersky says that it has so far blocked the malware on the devices of 9,380 Android users running its security solutions on their devices.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
APKPure fixed the issue in the latest 3.17.19 version of the app, but if you’re using version 3.17.18 you should uninstall it immediately and scan your phone using antimalware software.