- Zlabs spots the new version of the Konfety Android malware
- This version uses distorted APKs to avoid being detected and analyzed
- He also uses the tactics of the “bad twin” to stay hidden at the sight
The infamous Android Androfety Android malware has apparently been updated, with new versions hiding at sight through the altered APK structure, the experts warned.
Zlabs security researchers have discovered that new Konfety variants adopted “increasingly advanced” techniques to escape detection and hinder reverse engineering efforts.
In zip files (on which are based on APK), each file includes a bizarre-free general indicator, a field of two bytes which stores metadata on how the file must be managed (0 or 1). One of the flag bits indicates whether the file is encrypted or not.
Maleficent twins and double application deception
In the case of Konfety, the attackers intentionally adjusted Bit 0 to 1, even if the file was not encrypted, which made the decompression tools believe, the analysis tools thinking that it was illegible or corrupt, and the insane allowances to waste time to help out.
But that’s not all. Each file input into a ZIP archive also includes a compression method identifier (0x000 for no compression, 0x000c for an unusual compression standard, etc.)
With Konfety, the attackers managed to declare compressed files using 0x000c, which was not really the case. Since the files cannot decompress properly, this leads to partial extraction, to analysis errors or even to accidents, which complicates reverse engineering and analysis.
There are other ways in which Konfety tries to hide and maintain persistence. Zlabs said that attackers also used the so-called “double application deception”, in which there is a legitimate application on the main application stores, and malicious elsewhere.
The application also masks its icon once installed and applies geofencing to ensure that some analysts and researchers cannot access it.
Konfety works using the Caramelads SDK to recover the advertisements, deliver useful loads and maintain communication with servers controlled by the attacker. It redirects users to malicious websites, invites unwanted application installations and triggers neat -type browser notifications.
“The actors of the threat behind Konfety are very adaptable, constantly modifying their targeted advertising networks and updating their methods to escape detection,” warned the researchers.
“This last variant demonstrates their sophistication by specifically altering the Zip structure of the APK. This tactic is designed to bypass the security checks and considerably complicate insane engineering efforts, make detection and analysis more difficult for security professionals. ”
Via Bleeping Compompute
