APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware.

Multiple security experts discovered threat actors tampered with the APKPure client version 3.17.18 of the popular alternative third-party Android app store.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

APKPure is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure.

The tainted client downloads and installs various apps, including other malicious payloads.

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web.

The analysis of the code of the client revealed that attacker modified it by injecting the Android.Triada malware.

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, it allows threat actors to download, install/uninstall payloads without users’ permission.

Researchers from Kaspersky pointed out that attackers compromised the APKPure version 3.17.18 with a tainted advertisement SDK.

“Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released — and the user installed — security updates.” states Kaspersky.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.”

APKPure has solved the problem with the release of the version 3.17.19, on April 9.

“Fixed a potential security problem, making APKPure safer to use,” reads the release note of the new version.

This week another supply chain attack made the headlines, the German device maker Gigaset announced that threat actors compromised at least one server of the company to deliver malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

The post Hackers compromised APKPure client to distribute infected Apps appeared first on Security Affairs.

By admin