A brand new variant of the Konfety Android malware emerged with a malformed ZIP construction together with different obfuscation strategies that permit it to evade evaluation and detection.
Konfety poses as a respectable app, mimicking innocuous merchandise obtainable on Google Play, however options not one of the promised performance.
The capabilities of the malware embrace redirecting customers to malicious websites, pushing undesirable app installs, and pretend browser notifications.
As a substitute, it fetches and renders hidden advertisements utilizing the CaramelAds SDK and exfiltrates data resembling put in apps, community configuration, and system data.
Supply: Zimperium
Though Konfety is not a adware or RAT instrument, it contains an encrypted secondary DEX file contained in the APK, which is decrypted and loaded at runtime, containing hidden providers declared within the AndroidManifest file.
This leaves the door open for putting in further modules dynamically, thus permitting the supply of extra harmful capabilities on present infections.
Evasion techniques
Researchers at cell safety platform Zimperium found and analyzed the most recent Konfety variant and report that the malware makes use of a number of strategies to obfuscate its actual nature and exercise.
Konfety tips victims into putting in it by copying the title and branding of respectable apps can be found on Google Play and distributing it by means of third-party shops – a tactic that researchers at Human known as “evil twin” or “decoy twin.”
The operators of the malware are selling it on third-party app shops.
These marketplaces are sometimes the place customers search for “free” variants of premium apps as a result of they need to keep away from Google monitoring, have an Android system that’s not supported, or haven’t got entry to Google providers.
The dynamic code loading, the place the malicious logic is hidden in an encrypted DEX file that hundreds at runtime, is one other efficient obfuscation and evasion mechanism that Konfety employs.
One other unusual anti-analysis technique in Konfety is to govern the APK recordsdata in a approach that confuses or breaks static evaluation and reverse engineering instruments.
First, the APK units the Common Goal Bit Flag to ‘bit 0,’ signaling that the file is encrypted, although it’s not. This triggers false password prompts when attempting to examine the file, blocking or delaying entry to the APK’s contents.
Secondly, crucial recordsdata within the APK are declared utilizing BZIP compression (0x000C), which is not supported by evaluation instruments like APKTool and JADX, leading to a parsing failure.
Supply: Zimperium
In the meantime, Android ignores the declared technique and falls again to default processing to keep up stability, permitting the malicious app to put in and run on the system with out situation.
After set up, Konfety hides its app icon and title and makes use of geofencing to vary conduct in keeping with the sufferer’s area.
Compression-based obfuscation has been noticed previously in Android malware, as highlighted in a Kaspersky report from April 2024 on SoumniBot malware.
In that case, SoumniBot declared an invalid compression technique in AndroidManifest.xml, declared a faux file dimension and information overlay, and confused evaluation instruments with very giant namespace strings.
It’s sometimes beneficial to keep away from putting in APK recordsdata from third-party Android app shops and solely belief software program from publishers you realize.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
