- ZLABS shows new version of the Konfety Android malware
- This version uses distorted APK to avoid being detected and analyzed
- It also uses the “evil” tactics to remain hidden in sight
The infamous malware of Android Konfety has apparently updated, with new versions that are hidden through the manipulated APK structure, experts have warned.
ZLABs Security Researchers have found that Konfety’s new variants were adopting “increasingly advanced” techniques to evade detection and hindering reverse engineering efforts.
In the ZIP files (on which the APKs are based), each file includes a so -called general purpose bits flag, a two -bytes field that stores metadata on how the file should be handled (either 0 or 1). One of the bits in the indicator indicates whether the file is encrypted or not.
Evil twins and double application deception
In the case of Konfety, the attackers intentionally established Bit 0 to 1, although the file was not actually encrypted, which caused the decompression tools to misunderstand the files, the analysis analysis tools are blocked thinking that it was illegible or corrupted, and the engineers restarted to lose the solution of time problems.
But that’s not all. Each file input in a ZIP file also includes a compression method identifier (0x000 for non -compression, 0X000C for an uncommon compression standard, etc.)
With Konfety, the attackers managed to declare compressed files using 0x000C, which was not really the case. Since files cannot decompress correctly, lead to partial extraction, analysis errors or even blockages, which complicates reverse engineering and analysis.
There are other ways in which Konfety tries to hide and maintain persistence. Zlabs said that attackers are also using the so -called “double application deception”, in which there is a legitimate application in the main application stores and a malicious in another place.
The application also hides its icon when installed, and geofencing applies to ensure that certain analysts and researchers cannot reach it.
Konfety works using SDK candies to obtain advertisements, deliver useful charges and maintain communication with servers controlled by attackers. Redirects users to malicious websites, causes unwanted application facilities and triggers persistent spam -shaped persistent notifications.
“The threat actors behind Konfety are highly adaptable, constantly altering their advertising networks and updating their methods to evade detection,” the researchers warned.
“This last variant demonstrates its sophistication by specifically manipulating the postal structure of the APK. This tactic is designed to avoid security controls and significantly complicate the reverse engineering efforts, making detection and analysis more challenging for security professionals.”
Through Bleepingcomputer
