This dangerous new Android malware looks to hide from detection with distorted APKs
- zLabs spots new version of the Konfety Android malware
- This version uses distorted APKs to avoid being detected and analyzed
- It also uses the “evil twin” tactic to remain hidden in plain sight
The infamous Konfety
Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year.View Deal
Evil twins and dual-app deception
In Konfety’s case, the attackers intentionally set bit 0 to 1, even though the file wasn’t actually encrypted, causing decompression tools to misinterpret the files, analysis tools to crash thinking it was unreadable or corrupted, and reverse engineers to waste time troubleshooting.
But that’s not all. Each file entry in a ZIP archive also includes a compression method identifier (0x000 for no compression, 0x000C for an uncommon compression standard, etc.)
With Konfety, the attackers managed to declare files compressed using 0x000C, which wasn’t really the case. Since the files can’t decompress properly, it leads to partial extraction, parsing errors, or even crashes, which complicates reverse-engineering and analysis.
There are other ways Konfety tries to hide and maintain persistence. zLabs said that the attackers are also using so-called “dual-app deception”, in which there’s a legitimate app on major app stores, and a malicious one elsewhere.
The app also hides its icon when installed, and applies geofencing to make sure certain analysts and researchers can’t get to it.
Konfety works by using CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. It redirects users to malicious websites, prompts unwanted app installs, and triggers persistent spam-like browser notifications.
“The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection,” the researchers warned.
“This latest variant demonstrates their sophistication by specifically tampering with the APK’s ZIP structure. This tactic is designed to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.”
Via BleepingComputer
You might also like
- This dangerous new malware is hitting iOS and Android phones alike – and it’s even stealing photos and crypto
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
