Malicious code in APKPure app

Malicious code in APKPure app

Recently, we’ve found malicious code in version 3.17.18 of the official client of the APKPure app store. The app is not on Google Play, but it is itself a quite a popular app store around the world. Most likely, its infection is a repeat of the CamScanner incident, when the developer implemented a new adware SDK from an unverified source.


We notified the developers about the infection on April 8. APKPure confirmed the issue and promptly fixed it with the release of version 3.17.19.


In terms of functionality, the malicious code embedded in APKPure is standard for this type of threat. When the app starts, the payload is decrypted and launched. In this case, it is located in a long string in the app code.
The payload collects information about the user device and sends it to the C&C server.
Next, depending on the response received, the malware can:



Show ads when the device is unlocked.



Open browser pages with ads repeatedly.



Load additional executable modules.


In our case, a Trojan was loaded that has much in common with the notorious Triada malware and can perform a range of actions: from displaying and cl ..