Security researchers say APKPure, a widely popular app for installing older or discontinued Android apps from outside of Google's app store, contained malicious adware that flooded the victim's device with unwanted ads.
Kaspersky Lab said that it alerted APKPure on Thursday that its most recent app version, 3.17.18, contained malicious code that siphoned off data from a victim's device without their knowledge, and pushed ads to the device's lock screen and in the background to generate fraudulent revenue for the adware operators.
But the researchers said that the malicious code had the capacity to download other malware, potentially putting affected victims at further risk.
The researchers said the APKPure developers likely introduced the malicious code, known as a software development kit or SDK, from an unverified source. APKPure removed the malicious code and pushed out a new version, 3.17.19, and the developers no longer list the malicious version on its site.
APKPure was set up in 2014 to allow Android users access to a vast bank of Android apps and games, including old versions, as well as app versions from other regions that are no longer on Android's official app store Google Play. It later launched an Android app, which also has to be installed outside Google Play, serving as its own app store to allow users to download older apps directly to their Android devices.
APKPure is ranked as one of the most popular sites on the internet.
But security experts have long warned against installing apps outside of the official app stores as quality and security vary wildly as much of the Android malware requires victims to install malicious apps from outside the app store. Google scans all Android apps that make it into Google Play, but some have slipped through the cracks before.
TechCrunch contacted APKPure for comment but did not hear back.