There are over 1,160 malicious Android application packages (APKs) laced with Trojans in four third party app stores capable of rooting Android-running devices, researchers said. The foure stores are: Aptoide, Mobogenie, mobile9, and 9apps.
Over a four-day period the malicious apps ended up downloaded by users from 169 countries, mostly India, Indonesia and the Philippines.
All these apps are versions of legitimate game, security, music streaming and other popular apps, but they have an attached Trojan. “They even share the exact same package and certification with their Google Play counterpart,” said Trend Micro mobile threats analyst Jordan Pan.
They do contain malware dubbed ANDROIDOS_ LIBSKIN.A, which is capable of rooting the phone, download additional malicious apps and install them, show ads, and collect user and device data and send them to a remote server controlled by the malware author.
Researchers informed the third party stores about these threats, but still haven’t heard back from them.
That just goes to show, while not always secure, the best way to download an Android app is from Google Play.
“Though we highly recommend to sticking to Google Play for Android users, downloading apps from third-party stores still has its set of merits,” Pan said. Still, users should be careful about what they are downloading – it’s always a good idea to check the reputation of the store and the app’s developer before downloading anything.
“For developers publishing their apps, make sure to partner with reputable stores. Secure coding also helps prevent cybercriminals from replicating or modifying their work to include malware,” Pan said.