Popular Third-Party Android App Store Was Infected With A Dangerous Trojan Malware

Android Trojan

Google Play Store isn't the safest app store. But when considering it as the official store for Android, it's best to say that it is the safest of them all.

While most Android users would usually head to the Play Store to download and install apps, others can use third-party app stores. Usually, people visit those app stores to sideload Android apps by downloading their APK files, in order to download different versions of an app, or to download apps that aren't available in their region.

And one of the most popular third-party app stores that allows this, is APKPure.

Many Android users find the app store as an alternative to the Google's official Play Store.

Fortunately, those Android users can be certain that the apps they download on APKPure's platform are supposedly identical to those available through the Play Store. But unfortunately for them, the APKPure platform itself was riddled with malware.

According to Kaspersky and Doctor Web, a malware is found embedded within an advertisement SDK included with APKPure version 3.17.18.

In a blog post, Kaspersky wrote that:

"We always recommend downloading apps from official stores only, to reduce the likelihood of installing malware. However, unofficial stores not only host malicious apps, but they might not be safe at all. Following a recent investigation, we are sorry to report that APKPure, a popular alternative source of Android apps, was Trojanized and has been distributing other Trojans."

And according to Doctor Web on its own post:

"Doctor Web specialists have discovered a malicious functionality in APKPure—the official client application of the popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission."

Both Kaspersky and Doctor Web reported their findings to APKPure.

In response, the developer of the app store released APKPure version 3.17.19 which fixed the issue.

Android device owners who have installed APKPure app are advised to temporarily uninstall it to get rid of the infection, or update it to a newer version. And as always, users are also advised to use any other third-party Android app stores with extra caution.

APKPure version history, without version 3.17.18
A screenshot of APKPure's app version history. The developer has even removed traces of the infected 3.17.18 by removing the version from the list.

According to Kaspersky, the version of the APKPure app store has an advertisement SDK that has a Trojan dropper embedded in it. Kaspersky solutions detected it as HEUR:Trojan-Dropper.AndroidOS.Triada.ap.

When it is launched, it will unpack and runs its payload, which include several dangerous components.

For example, it can show ads on the lock screen; open browser tabs automatically; collect information about the device; and download other malware without user intervention.

The damage the Trojan can inflict, depends on the Android version the user is running, as well as on how regularly the smartphone vendor released - and the user installed - security updates.

But in all, it can range from being signed up for paid subscriptions, to seeing intrusive ads, or having unremovable malware like the xHelper Trojan.

According to Doctor Web, the APKPure app version 3.17.18 had a valid developer's signature.

What this means, the Trojan could have been intentionally embedded by unknown insiders, or that a hack happened and allowed the hackers to gain access to the app store developers’ internal resources.