Official client for the APKPure Android app store compromised with malware

Official client for the APKPure Android app store compromised with malware

The official client for APKPure, the second-largest Android app store after the Google Play Store, was compromised with malware this week, three security firms said on Friday.

Version 3.17.18 of the APKPure application contained a copy of the Triada trojan, a type of Android malware that can perform banking fraud, steal user data, or download and install additional payloads.

Android users who installed or updated to this version of the APKPure client are advised to update to version 3.17.19, released earlier today, which removes the malware from their devices.

APKPure released the updated version today after receiving notifications that malware slipped into its official client yesterday from Russian security firms Dr.Web and Kaspersky.

Unclear how many users have been impacted

APKPure operates the web portal, which houses Android apps and mobile games.

Android smartphone owners usually install the APKPure client on their devices to install apps and games from the portal, similarly to how the Google Play app offers access to apps hosted on Google's official Play Store portal.

The client is supposedly installed on millions of Android devices, although it is unclear how many of these users updated to version 3.17.18 and got infected with malware.

APKPure has not returned an email from The Record seeking comment on the security breach's breadth and how the malware slipped into its official app.

However, seeking to confirm Dr.Web's findings and gain an insight into how the malware operated, The Record asked Cengiz Han Sahin, CEO and founder of mobile security firm ThreatFabric, to analyze version 3.17.18 of the APKPure client.

In an email, Sahin said the malware appears to have been added to the APKPure client at the same time with a new third-party SDK, which also appeared to launch the malware into execution.

"The malicious payload is encrypted and stored inside the app's code. The code used to decrypt and load the payload is launched from third-party SDK," Sahin told The Record in an email.

"However, there is no evidence of a compromised third-party SDK as the malicious code to decrypt and load malicious payload is stored outside the SDK code."

Based on the current evidence, Sahin can't say if the malware was introduced in the SDK by the SDK maker or bolted to the SDK code by a rogue developer at APKPure.

First screenshot: encrypted payload
Second screenshot: launch of decryption code from third-party SDK
Third screenshot: the same place in previous versions of APKPure
Fourth screenshot: part of the code of the decrypted payload

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.