Rooting malware lurking in third party Android app stores

Downloading Android apps from Google Play might not always be a safe proposition, but downloading them from third party app stores is definitely less safer.

According to Trend Micro mobile threats analyst Jordan Pan, the company has recently discovered over 1,163 malicious Trojanized APKs in four third party app stores (Aptoide, Mobogenie, mobile9, and 9apps), which are capable of rooting Android-running devices and open them to additional dangers.

In just four days, the malicious apps were downloaded by users from 169 countries, mostly India, Indonesia and the Philippines.

All these apps are Trojanized versions of legitimate game, security, music streaming and other popular apps. “They even share the exact same package and certification with their Google Play counterpart,” notes Pan.

But, they are repackaged to contain malware dubbed ANDROIDOS_ LIBSKIN.A, which is capable of rooting the phone, download additional malicious apps and install them, show ads, and collect user and device data and send them to a remote server controlled by the malware author(s).

The malware’s infection flow looks like this:

Malware's infection flow

The researchers have informed the aforementioned third party stores about these threats, but still haven’t heard back from them.

“Though we highly recommend to sticking to Google Play for Android users, downloading apps from third-party stores still has its set of merits,” says Pan. Still, users should be careful about what they are downloading – it’s always a good idea to check the reputation of the store and the app’s developer before downloading anything.

“For developers publishing their apps, make sure to partner with reputable stores. Secure coding also helps prevent cybercriminals from replicate or modify their work to include malware,” Pan advises.