Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Trojan detected in APKPure Android app store client software

April 9, 2021

Doctor Web specialists have discovered a malicious functionality in APKPure—the official client application of the popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.

APKPure is one of the oldest and most popular third-party games and software catalogs for the Android OS. Some Android device owners use it as an alternative to Google Play—the official Android app store. Analysis carried out by our specialists revealed that the trojan had emerged in the APKPure client version 3.17.18, relevant at the time of this news release and distributed through the official website of the APKPure platform. The app has a valid developer's signature. This could indicate the trojan was intentionally embedded by unidentified insiders, or that a hack took place and the attackers gained access to the app store developers’ internal resources. The German telecommunications equipment manufacturer Gigaset also faced a similar case, which further serves as evidence of a hack. According to the company, the attackers gained access to one of its updating servers. Soon after that, several Gigaset Android smartphone models begun downloading and installing trojan applications linked to the malicious code built into the APKpure app.

Doctor Web received the first data on the malicious version of the APKPure client on March 25th. Since then, the trojan’s code has changed slightly, but its main functionality remains untouched. The current version of the malware is detected by Dr.Web anti-virus as Android.Triada.4912.

This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users’ permission. In this case, the trojan is responsible for the first stage of the infection. There is another trojan of the very same family— Android.Triada.566.origin—hidden in its code in encrypted form. This trojan performs the main malicious actions. Once it is decrypted and executed, this component begins to load various websites in the default browser. For example, these can be sites with ads, as well as phishing resources. It also downloads and executes other malicious modules and various apps. So it can be said that the cybercriminals behind these trojans make money on pay-per-install schemes and ads.

Doctor Web has informed the owners of the APKPure platform about the discovered threat. The Android device owners who have installed APKPure app are advised to temporarily uninstall it to get rid of the infection. Users are also advised to use any other third-party Android app catalogs with caution.

Dr.Web anti-virus products for Android successfully detect and delete these and other modifications of the Android.Triada trojans, so they pose no threat to our users.

The analysis of the trojans continues.

Dr.Web Mobile Security

Your Android needs protection.

Use Dr.Web

  • The first Russian anti-virus for Android
  • Over 140 million downloads—just from Google Play
  • Available free of charge for users of Dr.Web home products

Free download

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124