Malicious code in APKPure app
2021-04-10 01:58:41 Author: securelist.com(查看原文) 阅读量:227 收藏

Incidents

Incidents

minute read

Recently, we’ve found malicious code in version 3.17.18 of the official client of the APKPure app store. The app is not on Google Play, but it is itself a quite a popular app store around the world. Most likely, its infection is a repeat of the CamScanner incident, when the developer implemented a new adware SDK from an unverified source.

We notified the developers about the infection on April 8. APKPure confirmed the issue and promptly fixed it with the release of version 3.17.19.

In terms of functionality, the malicious code embedded in APKPure is standard for this type of threat. When the app starts, the payload is decrypted and launched. In this case, it is located in a long string in the app code.

The payload collects information about the user device and sends it to the C&C server.

Next, depending on the response received, the malware can:

    • Show ads when the device is unlocked.

    • Open browser pages with ads repeatedly.

    • Load additional executable modules.

In our case, a Trojan was loaded that has much in common with the notorious Triada malware and can perform a range of actions: from displaying and clicking ads to signing up for paid subscriptions and downloading other malware.


Depending on the OS version, the Trojan can inflict various forms of damage on the victim. APKPure users with current Android versions mostly risk having paid subscriptions and intrusive ads appear from nowhere. Users of smartphones who do not receive security updates are less fortunate: in outdated versions of the OS, the malware is capable of not only loading additional apps, but installing them on the system partition. This can result in an unremovable Trojan like xHelper getting onto the device.

Kaspersky solutions detect the malicious implant as HEUR:Trojan-Dropper.AndroidOS.Triada.ap.

If you use APKPure, we recommend immediately deleting the infected app and installing the “clean” 3.17.19 version. In addition, scan the system for other Trojans using a reliable security solution, such as Kaspersky Internet Security for Android.

IOCs

APKpure app
2cfaedcf879c62f5a50b42cbb0a7a499
718aecd85e9f1219f3fc05ef156d3acf
ceac990b3df466c0d23e0b7f588d1407
deac06ab75be80339c034e266dddbc9f
f64d43c64b8a39313409db2c846b3ee9

Payload
31e49ac1902b415e6716bc3fb048f381

Downloaded malware
5f9085a5e5e17cb1f6e387a901e765cf

C&C
https://wcf.seven1029[.]com
http://foodin[.]site/UploadFiles/20210406052812.apk

Reports

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before.

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.


文章来源: https://securelist.com/apkpure-android-app-store-infected/101845/
如有侵权请联系:admin#unsafe.sh