To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.
That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system.
There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them.
The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method."
The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie.
The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation.
There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions.
Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash.
The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users.
Safety measures
Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources.
As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.
