Although Google naturally advocates using only its blessed Google Play Store, there is technically nothing that prevents users from using other sources for their app needs. While those alternative stores sometimes offer legit benefits over Google Play Store for one reason or another, they are sometimes also more targeted by malware authors because of their less restrictive policies and systems. In some cases, however, it may be the store owner’s own actions that led to a security compromise as was the case of APKPure’s own app.
Along with the likes of APKMirror and the open source-oriented F-Droid, APKPure is one of the more popular sources for APKs, whether or not their presence there has been authorized by the apps’ developers. Rather than just making users go through its website all the time, APKPure released its own app store app, which naturally isn’t available from Google Play Store. Unfortunately, that app itself apparently became the gateway for malware to infect users.
According to Kaspersky Labs’ post, APKPure’s developers became the victim of malicious code from a new adware SDK that they implemented. Using adware itself is already bad taste but is actually par for the course for these kinds of apps and platforms. Unfortunately, this kind of tactic is known to dupe developers into infecting their own users with trojans and other malware via otherwise trusted apps.
The effect on Android users depends on whether they’re running the latest OS versions and security patches. At most, infected users will be bombarded with ads and paid subscriptions but, at worst, those with older Android versions might find themselves with unremovable malware installed on the phone’s system partition.
The slightly good news is that APKPure already fixed it in the latest 3.17.19 version of the app. If you’re using version 3.17.18, uninstall that immediately and scan your phone using antimalware software (Kaspersky naturally suggests its own). It might also be an opportunity to reevaluate the use of third-party app sources and, if really unavailable, to take steps to minimize potential damages they might do, like just using APKPure’s website instead of its app.