Analysing Third-Party App Stores for Modded APKs Through Signature Verification

Even after the ban of major Chinese apps like PUBG, they were available for download on third party app stores. Similarly, modified versions of apps such as Spotify and Hotstar, that offer access to premium services without intrusive advertisements, for free, are also popular on the third party app stores. Although such apps may look quite similar to their original versions, they are not developed by the same manufacturer. Users resort to third party app stores when certain apps are not available on official stores like Google Play store and Apple App Store, or if they are too expensive, or simply because they contain too many ads. Third party-app stores are popular among users due to the following features as well:

• Provide access to the older versions of the app
• Free games and applications as opposed to their expensive equivalent
• Apps available in multiple languages
• Downloads incentivized with perks such as virtual currency and other rewards
• Access to beta versions of apps
• Free-trial period for apps

High-Risk Modded APKs

Modded APKs are basically modified versions of genuine Android packages (APKs) that contain additional features, unlimited in-game currency, keys, or passes, etc. Such APKs may even contain backdoors that potentially compromise the device and its users. 

• Hidden dangers in Spotify adfree apps

The third-party iOS app store TutuApp offers pirated versions of games/ apps, unauthorized games, as well as ad-free versions of applications like Spotify. In the particular case of Spotify, independent developers repackaged the original iOS app with a built-in ad blocker. Such applications request for independent permissions that allow threat actors to access different parts of a phone. 

TutuApp leverages Apple’s enterprise certificate program that allows other organizations to build and deploy in-house, proprietary apps for their employees. This is also another way to evade Apple’s screening process.

• Suspicious Pokemon Go apps

Several applications associated with Pokemon Go have been repackaged and released into the wild, targeting both Android and iOS users. Here are the various categories these apps belong to:

1. Repackaged versions of Pokemon Go, infected with Trojan (Android). For instance the Pokemon Go app injected with a RAT dubbed SandroRat.
2. Repackaged versions of Pokemon Go, infected with adware (Android). 
3. Malicious apps that masquerade as the Pokemon Go app, to carry out odd, unexpected activities such as enrolling oneself as the device admin (Android).
4. Repackaged, modded versions of Pokemon Go that bypass in-app billing, spoof locations, etc. or disable jailbreak detection (Android and iOS).

Some of these apps are inherently malicious, made to target its users. While others have been tampered with and provide users with an advantage.

CloudSEK’s Analysis of Over 50 Third-Party Stores

For the purpose of an ongoing research, CloudSEK conducted an analysis on more than 50 third-party app stores. The main purpose of this study was to check the credibility of these stores and to detect whether the apps available on such stores contained any modded code that varied from the one in the official APK. In order to achieve this, the APKs of similar apps, belonging to the same version were downloaded from the official app store as well as the third-party app store. Then, we conducted signature verification on all third-party apps. 

The Process of Signature Verification 

By default, the Android OS requires all applications to be signed, to be installed. This signature allows you to identify the author of an application (which can be used to verify its legitimacy), as well as establish trust relationships between applications that share the same signature. Even though there are multiple versions of the APK Signature Scheme (V1 – V4), every application currently includes signature version V1 (dubbed JAR signature) to maintain backward compatibility.

Signature Verification Scheme V1

1. Each APK contains a signature file in its META-INF/ folder.
2. META-INF/<signer>.(RSA|DSA|EC) is the signature used to sign every file in the APK.
3. The different RSA|DSA|EC options are for different crypto signatures, one META-INF folder might contain only one of these signatures.
4. META-INF/ MANIFEST.MF contains a digest of signature for each file.

How does the verification process work?

1. The process starts by searching for the signature file in the APK ZIP file within the META-INF folder.
2. The OpenSSL is then used to extract the signature.
3. Finally, the signatures are compared with that of the official APK and the results are returned.

Results of the Analysis

We verified around 990 third-party apps using the signature verification process. Some of the third party app stores that were analysed were allfreeapk, apkpure, apksfull, apktada.

We detected a total of 10 third-party apps that were modified or for which the signatures did not match and that contained a different code that’s different from the original APK. These are some of the apps that contained modded APKs:

Analysis of the Modded APK

• Picsart Photo Editor 

Vulnerabilities found 

1. Android Fleeceware (PUA)

Apps that cajole users into buying a free trial of their services, and charges them exorbitant subscription fees once the trial period ends. Such fleeceware apps do not function unless provided with the users’ payment details. If users fall for this trick and supply their details, the app uses these details to debit the subscription fees after the trial period is over, without the consent of the user.

1. Heur/HTML RefreshScript 

Heur/HTML.Malware is malware that is detected using a heuristic detection routine which is designed to find common malware scripts in HTML files. 

• Spotify

Vulnerabilities found

1. Ewind Trojan 

The Ewind Trojan is essentially an adware that monetizes applications by displaying unwanted advertisements on the victim’s device. Adware also gathers device data and is also capable of forwarding messages to the attacker.  The adware Trojan could in fact even allow full remote access to the infected device.

1. Riskware/Jiagu!Android

Riskware constitutes apps that are not inherently classified as malware. However, it may utilize system resources in an unexpected or annoying manner, and/ or may pose a security risk to the victim device. 

How do attackers modify official apps?

Apart from the prominent examples that we have shared above, there are quite a large number of modified apps lurking in third-party stores. And it’s only a matter of time before the next victim falls prey to one of these thousands of malicious apps. Let’s have a look at some of the methods by which attackers manage to modify official applications. 

• Add a Debugging Flag in a Configuration File

The attacker adds “debug=true” to a .properties file in a local app, manually. The application then returns log files that are quite descriptive, upon its launch. These log files provide attackers with access to the backend systems. Which in turn enables the attacker to search for vulnerabilities within the system, so as to exploit them.

• Code Manipulation

The attacker adds conditional jumps within the code which allows them to bypass the process of detecting a successful in-app purchase. This helps them obtain as many game artifacts and abilities as possible, without having to pay for them. The attacker may also inject spyware into the app to steal the identity of their victims. 

• Unauthorized Access to Administrative Endpoint

An attacker could gain access to the administrative endpoint that the developers leave exposed during the process of endpoint testing. The attacker could perform string analysis of the binary to find out the hardcoded URL to the administrative REST endpoint. Followed by which the attacker could use ‘cURL’ to execute back-end administrative functions.

• Usability Requirements

Usability requirements specify that the mobile app passwords can only be 4 digits long. Server code stores a hashed version of the password. As the password is very short, an attacker will be able to deduce the original password using rainbow hash tables. If the attacker manages to compromise the password file on the server, it could expose the user’s password.

• Certificate inspection 

A secure channel is established when the app and the endpoint connects through a TLS handshake. If the app accepts the certificate offered by the server without inspecting it, it could disrupt the mutual authentication protocol between the endpoint and the app allowing man-in-the-middle (MiTM) attacks.

Third-party applications may thus seem innocent, but could in fact be nefarious and have grave implications on its users. However, third-party apps that are malicious can be identified with processes like signature verification. Users have to avoid or observe caution before installing apps that are not from the official app stores.