April 9, 2021
APKPure is one of the oldest and most popular third-party games and software catalogs for the Android OS. Some Android device owners use it as an alternative to Google Play—the official Android app store. Analysis carried out by our specialists revealed that the trojan had emerged in the APKPure client version 3.17.18, relevant at the time of this news release and distributed through the official website of the APKPure platform. The app has a valid developer's signature. This could indicate the trojan was intentionally embedded by unidentified insiders, or that a hack took place and the attackers gained access to the app store developers’ internal resources. The German telecommunications equipment manufacturer Gigaset also faced a similar case, which further serves as evidence of a hack. According to the company, the attackers gained access to one of its updating servers. Soon after that, several Gigaset Android smartphone models begun downloading and installing trojan applications linked to the malicious code built into the APKpure app.
Doctor Web received the first data on the malicious version of the APKPure client on March 25th. Since then, the trojan’s code has changed slightly, but its main functionality remains untouched. The current version of the malware is detected by Dr.Web anti-virus as Android.Triada.4912.
This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users’ permission. In this case, the trojan is responsible for the first stage of the infection. There is another trojan of the very same family— Android.Triada.566.origin—hidden in its code in encrypted form. This trojan performs the main malicious actions. Once it is decrypted and executed, this component begins to load various websites in the default browser. For example, these can be sites with ads, as well as phishing resources. It also downloads and executes other malicious modules and various apps. So it can be said that the cybercriminals behind these trojans make money on pay-per-install schemes and ads.
Doctor Web has informed the owners of the APKPure platform about the discovered threat. The Android device owners who have installed APKPure app are advised to temporarily uninstall it to get rid of the infection. Users are also advised to use any other third-party Android app catalogs with caution.
Dr.Web anti-virus products for Android successfully detect and delete these and other modifications of the Android.Triada trojans, so they pose no threat to our users.
The analysis of the trojans continues.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments