APKPure, a popular third-party Android app store and an alternative to Google's official Play Store, has been found to contain malware that allows malicious actor to download trojans on Android devices.
According to security researchers at Kaspersky, the APKPure version 3.17.18 contained an advertisement SDK with an embedded Trojan dropper, tracked as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, which is capable of downloading other malware on an infected device.
"This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky said.
Depending on the OS version, the trojan can inflict various forms of damage on the victim, ranging from being signed up for paid subscriptions and showing unwanted ads (devices running current Android versions) to getting infected with dangerous malware like the unremovable xHelper trojan if a device is running an outdated OS version.
The researchers contacted the APKPure team over the issue on April 8, and soon after a new APKPure version (3.17.19) was published on the APKPure website.