A new Konfety Android malware variant uses a malformed ZIP and obfuscation to evade detection, posing as fake apps with no real functionality.
Zimporium zLabs researchers are tracking a new, sophisticated Konfety Android malware variant that uses an “evil-twin” tactic and duplicate package names to avoid detection.
The new Konfety malware variants use malformed ZIP, enabling a misleading flag and declaring an unsupported BZIP compression, to evade analysis tools.
“The APK contains the bit 00 of the General Purpose Flags enabled. This causes some tools to incorrectly identify the APK (ZIP) as encrypted and subsequently request a password for decompression.” reads the report published by Zimporium. “The AndroidManifest.xml of these samples declared the BZIP compression method. However, the file is not actually compressed using this algorithm. This discrepancy resulted in partial decompression for decompression tools and invalid file parsing for analysis tools.”
The Konfety malware uses low-level ZIP tricks to block security tools from analyzing its code. Some tricks trigger fake password prompts or crash tools like APKTool and JADX. Android, however, handles these unusual files gracefully, quietly installing the app by treating unsupported formats as normal files.
The latest Konfety malware variants use advanced obfuscation to avoid detection. They load hidden, encrypted code at runtime, which makes the code not visible during standard scans. This hidden code (a secondary DEX file) contains key components declared in the app’s manifest but missing from the main code, raising red flags.
“One of the key techniques employed is dynamic code loading, where additional executable code is loaded at runtime from an encrypted asset bundled within the APK.” states the report. “This encrypted file contains a secondary DEX (Dalvik Executable) file, which is not immediately visible during a standard inspection of the APK.”
These components link back to Konfety’s past use of the CaramelAds SDK for ad fraud, letting the malware silently run ads, install payloads, and talk to remote servers without the user’s knowledge.
“Further indicators linking the current malware to the earlier campaign discovered by Human include the appearance of a User Agreement popup and the presence of a specific regular expression within the code. This expression searches for the pattern @injseq, which was also used in previous versions” continues the report.
Konfety disguises itself as a legitimate Google Play app but delivers none of its claimed features, hiding its true malicious intent. The malware disguises itself by using the same package name as legitimate apps on the Play Store but lacks their functionality, hiding its icon and app name to remain stealthy. Upon launch, it tricks users into accepting a user agreement, then opens a browser to connect with a remote server. This redirects through several sites, ultimately leading victims to install unauthorized apps or enable intrusive browser notifications.
The report includes indicators of compromise of this campaign along with the MITRE Tactics and Techniques.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, malware)
