Hackers compromised APKPure client to distribute infected Apps

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware.

Multiple security experts discovered threat actors tampered with the APKPure client version 3.17.18 of the popular alternative third-party Android app store.

APKPure is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure.

The tainted client downloads and installs various apps, including other malicious payloads.

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web.

The analysis of the code of the client revealed that attacker modified it by injecting the Android.Triada malware.

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, it allows threat actors to download, install/uninstall payloads without users’ permission.

Researchers from Kaspersky pointed out that attackers compromised the APKPure version 3.17.18 with a tainted advertisement SDK.

“Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released — and the user installed — security updates.” states Kaspersky.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.”

APKPure has solved the problem with the release of the version 3.17.19, on April 9.

“Fixed a potential security problem, making APKPure safer to use,” reads the release note of the new version.

This week another supply chain attack made the headlines, the German device maker Gigaset announced that threat actors compromised at least one server of the company to deliver malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]