Two new active and aggressive Android Trojan variants have been discovered in the wild, impacting users taking advantage of two alternatives, non-Google Play app stores (“third-party” app stores). The discoveries are examples of how malware can spread through other sources outside of Google Play, and highlight the importance of sideloading detection, on-device malware detection, and app risk analysis to secure Android endpoints. With over 300 known third-party app stores hosting millions of applications, these alternatives are increasing in popularity with mobile endpoint users looking to circumvent regional restrictions and paywalls, access older or removed apps, as well as use unverified apps on their devices. Taking advantage of the side-loading capabilities, or unverified installations, these third-party app stores can pose big risks to mobile endpoints and the data they store.
The first and most prominent is a new mobile variant of the Android Triada malware discovered infecting the popular alternative Android app store APKPure app (3.17.18APKPure). Discovered by Doctor Web, this aggressive Android Trojan is capable of acting as the user on the device, including adding or deleting applications or even modifying local data. In this case, the infected APKPure app store was installing malicious applications that display ads on both the lock screen and in new browser tabs as well as collecting device information and sending it back to an unknown source.
APKPure, established in 2014 as an alternative repository of Google Play apps including older versions and no-longer-available titles, is one of the more popular third-party Android app stores available to users. While APKPure has responded to the malware discovery with a new version of their alternative app store (3.17.19), this aggressive infection and attack on Android users is not uncommon for users of third-party app stores due to the lack of security controls, code verification, and trusted security partners. Unfortunately, this is not the only malware seen in APKPure or other third-party app store applications.
The second discovery, also by Doctor Web, is of 10 decoy Android applications available in the Huawei AppGallery infected with a new variant of the Joker/Bread Android Trojan. A decoy application is submitted to app stores with modified code, either to circumvent features or paywalls, but are often found to be ripe with vulnerabilities and mobile malware. In this case, 10 decoy applications from three different developers were loaded with code enabling the attackers to act as the end-user, signing them up for expensive premium mobile services without any real interaction. This form of command-and-control (C2) is a common attack vector on traditional endpoints, and with the rise of mobile endpoint usage, it is no surprise to see it in the wild here.
The Huawei AppGallery is the official app store for Huawei devices and boasts over 45,000 applications and over 390 million global users, but lacks the advanced security controls found in Google Play. While Huawei has taken steps to remove the infected decoy applications from its app store, any customer that has downloaded any of the infected applications will need to take manual steps to remove and secure their device. The infected applications will remain on the device despite Huawei’s actions.
Steps to Protection
Zimperium customers were already protected against both the Android Triada Trojan and Joker/Bread Trojan through the on-device z9 Mobile Threat Defense engine, which identifies if any app is malicious, including zero-day malware.
Zimperium is able to identify devices that have an increased level of risk to malware by identifying which devices allow for app installation from unofficial app stores and unknown sources, as well as any other side-loaded application. Regardless of how the malware was installed, Zimperium’s z9 mobile threat defense engine detects known and unknown malware, keeping mobile users and their data secure.
To ensure your environment is protected from these two variants and attack vectors, we recommend a quick risk assessment. Inside zConsole, admins can review which apps are side-loaded onto the device that could be increasing the attack surface and leaving data and users at risk. After this, admins can identify and address which devices allow for installation from “unknown sources” i.e. third-party app stores.
Not a Zimperium customer? Contact us today for a free mobile risk assessment.
APKPure App Store Version 3.17.18APKPure
Decoy applications from Huawei App Gallery
- StoreSuper Keyboard
- Happy Color
- Fun Color
- New 2021 Keyboard
- Camera MX – Photo Video Camera
- BeautyPlus Camera
- Color Rolling Icon
- Funny Meme Emoji
- Happy Tapping
- All-in-One Messenger
Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. Powered by z9, Zimperium provides protection against device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.