This dangerous new Android malware looks to hide from detection with distorted APKs

News
By published

Distorted APKs make analysis almost impossible, experts warn

Android Logo
(Image credit: Google)
  • zLabs spots new version of the Konfety Android malware
  • This version uses distorted APKs to avoid being detected and analyzed
  • It also uses the "evil twin" tactic to remain hidden in plain sight

The infamous Konfety Android malware has apparently been updated, with new versions hiding in plain sight through tampered APK structure, experts have warned.

Security researchers zLabs have found new Konfety variants were adopting “increasingly advanced” techniques to evade detection and hinder reverse engineering efforts.

In ZIP files (which APKs are based on), every file includes a so-called General Purpose Bit Flag, a two-byte field that stores metadata about how the file should be handled (either 0 or 1). One of the bits in the flag indicates if the file is encrypted or not.

Norton 360 with Genie
Up to 58% Off

Norton 360 with Genie

Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year.

View Deal

Evil twins and dual-app deception

In Konfety’s case, the attackers intentionally set bit 0 to 1, even though the file wasn’t actually encrypted, causing decompression tools to misinterpret the files, analysis tools to crash thinking it was unreadable or corrupted, and reverse engineers to waste time troubleshooting.

But that’s not all. Each file entry in a ZIP archive also includes a compression method identifier (0x000 for no compression, 0x000C for an uncommon compression standard, etc.)

With Konfety, the attackers managed to declare files compressed using 0x000C, which wasn’t really the case. Since the files can’t decompress properly, it leads to partial extraction, parsing errors, or even crashes, which complicates reverse-engineering and analysis.

There are other ways Konfety tries to hide and maintain persistence. zLabs said that the attackers are also using so-called “dual-app deception”, in which there’s a legitimate app on major app stores, and a malicious one elsewhere.

The app also hides its icon when installed, and applies geofencing to make sure certain analysts and researchers can’t get to it.

Konfety works by using CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. It redirects users to malicious websites, prompts unwanted app installs, and triggers persistent spam-like browser notifications.

“The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection,” the researchers warned.

“This latest variant demonstrates their sophistication by specifically tampering with the APK's ZIP structure. This tactic is designed to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.”

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.