Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malicious APK evasion. Show all posts
malware
Android malware 2025 CaramelAds SDK fake Android apps Konfety malware malicious APK evasion malware

New Variant of Konfety Android Malware Evades Detection Using Obfuscation, Malformed ZIP Tactics

 

A newly discovered variant of the Konfety Android malware is raising concerns among cybersecurity researchers due to its use of sophisticated evasion techniques, including a malformed ZIP structure and encrypted dynamic code loading, to bypass analysis and detection tools.

Disguised as a legitimate Android app, Konfety mimics harmless software found on Google Play, yet delivers none of the expected functionality. Instead, it redirects users to malicious websites, installs unwanted applications, and pushes fake browser notifications. It also silently displays hidden ads using the CaramelAds SDK, while stealing device data such as installed apps, system settings, and network information.

Although not classified as spyware or a remote access trojan (RAT), Konfety includes a secondary encrypted DEX file within its APK package. This file is decrypted at runtime and contains concealed services declared in the AndroidManifest, which allows attackers to deploy additional malicious modules later—potentially introducing more harmful features to already-infected devices.

Researchers from mobile security firm Zimperium uncovered and analyzed this latest version of Konfety. Their findings show the malware employs several obfuscation methods to avoid scrutiny.

One key tactic is the use of the “evil twin” strategy, wherein the malware copies the name and branding of legitimate Google Play apps but is distributed through third-party app stores. These platforms often appeal to users seeking free alternatives to premium apps, or those without access to Google services.

Konfety also hides its malicious code in an encrypted file that only executes during runtime. This dynamic code loading significantly complicates analysis efforts.

In an uncommon move, the malware manipulates the APK’s ZIP structure to mislead reverse engineering tools. For instance, it sets a General Purpose Bit Flag that falsely signals the file is encrypted, triggering password prompts and delaying inspection. Additionally, it uses BZIP compression—unsupported by popular tools like APKTool and JADX—causing them to fail when parsing the file. Despite these declarations, Android’s fallback mechanisms allow the malware to install and function normally.

Once installed, Konfety removes its icon and name from the app drawer and uses geofencing to adapt its behavior based on the user’s location.

These methods echo similar techniques found in the SoumniBot malware, which Kaspersky documented in April 2024. SoumniBot used invalid compression methods, misleading file sizes, and oversized namespace strings to disrupt analysis.

To reduce the risk of infection, experts strongly advise against downloading APKs from third-party Android stores. Stick to apps from trusted publishers and avoid sideloading software unless absolutely necessary.

“The combination of obfuscation layers, dynamic code execution, and compression-based tricks makes Konfety a significant threat in the evolving Android malware landscape,” said Zimperium researchers.
Read more »
Subscribe to: Posts (Atom)