Even after the ban of major Chinese apps like PUBG, they were available for download on third party app stores. Similarly, modified versions of apps such as Spotify and Hotstar, that offer access to premium services without intrusive advertisements, for free, are also popular on the third party app stores. Although such apps may look quite similar to their original versions, they are not developed by the same manufacturer. Users resort to third party app stores when certain apps are not available on official stores like Google Play store and Apple App Store, or if they are too expensive, or simply because they contain too many ads. Third party-app stores are popular among users due to the following features as well:
Modded APKs are basically modified versions of genuine Android packages (APKs) that contain additional features, unlimited in-game currency, keys, or passes, etc. Such APKs may even contain backdoors that potentially compromise the device and its users.
The third-party iOS app store TutuApp offers pirated versions of games/ apps, unauthorized games, as well as ad-free versions of applications like Spotify. In the particular case of Spotify, independent developers repackaged the original iOS app with a built-in ad blocker. Such applications request for independent permissions that allow threat actors to access different parts of a phone.
TutuApp leverages Apple’s enterprise certificate program that allows other organizations to build and deploy in-house, proprietary apps for their employees. This is also another way to evade Apple’s screening process.
Several applications associated with Pokemon Go have been repackaged and released into the wild, targeting both Android and iOS users. Here are the various categories these apps belong to:
Some of these apps are inherently malicious, made to target its users. While others have been tampered with and provide users with an advantage.
For the purpose of an ongoing research, CloudSEK conducted an analysis on more than 50 third-party app stores. The main purpose of this study was to check the credibility of these stores and to detect whether the apps available on such stores contained any modded code that varied from the one in the official APK. In order to achieve this, the APKs of similar apps, belonging to the same version were downloaded from the official app store as well as the third-party app store. Then, we conducted signature verification on all third-party apps.
By default, the Android OS requires all applications to be signed, to be installed. This signature allows you to identify the author of an application (which can be used to verify its legitimacy), as well as establish trust relationships between applications that share the same signature. Even though there are multiple versions of the APK Signature Scheme (V1 – V4), every application currently includes signature version V1 (dubbed JAR signature) to maintain backward compatibility.
We verified around 990 third-party apps using the signature verification process. Some of the third party app stores that were analysed were allfreeapk, apkpure, apksfull, apktada.
We detected a total of 10 third-party apps that were modified or for which the signatures did not match and that contained a different code that’s different from the original APK. These are some of the apps that contained modded APKs:
App Store Name |
Package Name |
App Name |
Oceanofapk |
|
|
Aptoide | com.truecaller | Truecaller |
Apk20 | com.pinterest |
Package name |
com.picsart.studio |
Store Name |
Oceanofapk |
Version |
PicsArt_v15.1.5 |
Apps that cajole users into buying a free trial of their services, and charges them exorbitant subscription fees once the trial period ends. Such fleeceware apps do not function unless provided with the users’ payment details. If users fall for this trick and supply their details, the app uses these details to debit the subscription fees after the trial period is over, without the consent of the user.
Heur/HTML.Malware is malware that is detected using a heuristic detection routine which is designed to find common malware scripts in HTML files.
Package name |
com.picsart.studio |
Store Name |
Oceanofapk |
Version |
spotify-premium-8.5.80.1037 |
The Ewind Trojan is essentially an adware that monetizes applications by displaying unwanted advertisements on the victim’s device. Adware also gathers device data and is also capable of forwarding messages to the attacker. The adware Trojan could in fact even allow full remote access to the infected device.
Riskware constitutes apps that are not inherently classified as malware. However, it may utilize system resources in an unexpected or annoying manner, and/ or may pose a security risk to the victim device.
Apart from the prominent examples that we have shared above, there are quite a large number of modified apps lurking in third-party stores. And it’s only a matter of time before the next victim falls prey to one of these thousands of malicious apps. Let’s have a look at some of the methods by which attackers manage to modify official applications.
The attacker adds “debug=true” to a .properties file in a local app, manually. The application then returns log files that are quite descriptive, upon its launch. These log files provide attackers with access to the backend systems. Which in turn enables the attacker to search for vulnerabilities within the system, so as to exploit them.
The attacker adds conditional jumps within the code which allows them to bypass the process of detecting a successful in-app purchase. This helps them obtain as many game artifacts and abilities as possible, without having to pay for them. The attacker may also inject spyware into the app to steal the identity of their victims.
An attacker could gain access to the administrative endpoint that the developers leave exposed during the process of endpoint testing. The attacker could perform string analysis of the binary to find out the hardcoded URL to the administrative REST endpoint. Followed by which the attacker could use ‘cURL’ to execute back-end administrative functions.
Usability requirements specify that the mobile app passwords can only be 4 digits long. Server code stores a hashed version of the password. As the password is very short, an attacker will be able to deduce the original password using rainbow hash tables. If the attacker manages to compromise the password file on the server, it could expose the user’s password.
A secure channel is established when the app and the endpoint connects through a TLS handshake. If the app accepts the certificate offered by the server without inspecting it, it could disrupt the mutual authentication protocol between the endpoint and the app allowing man-in-the-middle (MiTM) attacks.
Third-party applications may thus seem innocent, but could in fact be nefarious and have grave implications on its users. However, third-party apps that are malicious can be identified with processes like signature verification. Users have to avoid or observe caution before installing apps that are not from the official app stores.
Sign up so that you don't miss any updates from us
Didn't Find what you are looking for search here