1/11 Malicious code in APKPure app securelist.com/apkpure-android-app-store-infected/101845/ Incidents Incidents 09 Apr 2021 minute read https://securelist.com/apkpure-android-app-store-infected/101845/ https://securelist.com/category/incidents/ https://securelist.com/category/incidents/ 2/11 Authors Igor Golovin Anton Kivva Recently, we’ve found malicious code in version 3.17.18 of the official client of the APKPure app store. The app is not on Google Play, but it is itself a quite a popular app store around the world. Most likely, its infection is a repeat of the CamScanner incident, when the developer implemented a new adware SDK from an unverified source. We notified the developers about the infection on April 8. APKPure confirmed the issue and promptly fixed it with the release of version 3.17.19. In terms of functionality, the malicious code embedded in APKPure is standard for this type of threat. When the app starts, the payload is decrypted and launched. In this case, it is located in a long string in the app code. https://securelist.com/author/igorgolovin/ https://securelist.com/author/antonkivva/ https://securelist.com/dropper-in-google-play/92496/ https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164553/APKPUre-infection-00.png 3/11 The payload collects information about the user device and sends it to the C&C server. Next, depending on the response received, the malware can: Show ads when the device is unlocked. Open browser pages with ads repeatedly. Load additional executable modules. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164424/APKPUre-infection-01.png https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164427/APKPUre-infection-02.png https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164430/APKPUre-infection-03.png 4/11 In our case, a Trojan was loaded that has much in common with the notorious Triada malware and can perform a range of actions: from displaying and clicking ads to signing up for paid subscriptions and downloading other malware. Depending on the OS version, the Trojan can inflict various forms of damage on the victim. APKPure users with current Android versions mostly risk having paid subscriptions and intrusive ads appear from nowhere. Users of smartphones who do not receive security updates are less fortunate: in outdated versions of the OS, the malware is capable of not only loading additional apps, but installing them on the system partition. This can result in an unremovable Trojan like xHelper getting onto the device. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164434/APKPUre-infection-04.png https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/ https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164437/APKPUre-infection-05.png https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/09164441/APKPUre-infection-06.png https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ 5/11 Kaspersky solutions detect the malicious implant as HEUR:Trojan- Dropper.AndroidOS.Triada.ap. If you use APKPure, we recommend immediately deleting the infected app and installing the “clean” 3.17.19 version. In addition, scan the system for other Trojans using a reliable security solution, such as Kaspersky Internet Security for Android. IOCs APKPure app 2cfaedcf879c62f5a50b42cbb0a7a499 718aecd85e9f1219f3fc05ef156d3acf ceac990b3df466c0d23e0b7f588d1407 deac06ab75be80339c034e266dddbc9f f64d43c64b8a39313409db2c846b3ee9 Payload 31e49ac1902b415e6716bc3fb048f381 Downloaded malware 5f9085a5e5e17cb1f6e387a901e765cf C&C https://wcf.seven1029[.]com http://foodin[.]site/UploadFiles/20210406052812.apk Code injection Google Android Malware Technologies Trojan Authors Igor Golovin Anton Kivva Malicious code in APKPure app https://www.kaspersky.com/android-security https://opentip.kaspersky.com/2cfaedcf879c62f5a50b42cbb0a7a499/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/718aecd85e9f1219f3fc05ef156d3acf/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/ceac990b3df466c0d23e0b7f588d1407/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/deac06ab75be80339c034e266dddbc9f/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/f64d43c64b8a39313409db2c846b3ee9/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/31e49ac1902b415e6716bc3fb048f381/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/5f9085a5e5e17cb1f6e387a901e765cf/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/wcf.seven1029.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://opentip.kaspersky.com/foodin.site%2FUploadFiles%2F20210406052812.apk/?utm_source=SL&utm_medium=SL&utm_campaign=SL https://securelist.com/tag/code-injection/ https://securelist.com/tag/google-android/ https://securelist.com/tag/malware-technologies/ https://securelist.com/tag/trojan/ https://securelist.com/author/igorgolovin/ https://securelist.com/author/antonkivva/ 6/11 Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm From the same authors Mobile subscription Trojans and their little tricks https://securelist.com/webinars/great-ideas-balalaika-edition/ https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412/ https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412/ 7/11 Triada Trojan in WhatsApp mod Pig in a poke: smartphone adware https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ https://securelist.com/pig-in-a-poke-smartphone-adware/97607/ https://securelist.com/pig-in-a-poke-smartphone-adware/97607/ 8/11 Aggressive in-app advertising in Android Unkillable xHelper and a Trojan matryoshka Subscribe to our weekly e-mails The hottest research right in your inbox https://securelist.com/in-app-advertising-in-android/97065/ https://securelist.com/in-app-advertising-in-android/97065/ https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ 9/11 Reports APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. MoonBounce: the dark side of UEFI firmware https://xtraining.kaspersky.com/courses/hunt-apts-with-yara-like-a-great-ninja?redef=1&THRU&reseller=gl_xc-overview_acq_ona_smm__onl_b2b_securelist_banner_______&utm_source=securelist&utm_medium=blog&utm_campaign=gl_course-overview_ay0073&utm_content=banner&utm_term=gl_securelist_organic_elqwbvemf73woii https://securelist.com/apt-trends-report-q1-2022/106351/ https://securelist.com/lazarus-trojanized-defi-app/106195/ https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ 10/11 At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. The BlueNoroff cryptocurrency hunt is still on It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/ https://xtraining.kaspersky.com/?reseller=gl_xtr-general_acq_ona_smm__onl_b2b_securelist_ban_sm-team______&utm_source=securelist&utm_medium=blog&utm_campaign=gl_xtr-general_az0075&utm_content=banner&utm_term=gl_securelist_organic_adbydaqili75vov 11/11 https://xtraining.kaspersky.com/?reseller=gl_xtr-general_acq_ona_smm__onl_b2b_securelist_ban_sm-team______&utm_source=securelist&utm_medium=blog&utm_campaign=gl_xtr-general_az0075&utm_content=banner&utm_term=gl_securelist_organic_adbydaqili75vov 11/11