Refined Android malware variant exploits ZIP-level manipulation and dynamic code loading to evade detection whereas conducting advert fraud operations focusing on cell customers globally.
Zimperium’s zLabs safety analysis group has recognized a brand new and extremely subtle variant of the Konfety Android malware that employs superior evasion strategies to bypass safety evaluation instruments and conduct fraudulent promoting operations.
This newest iteration represents a major evolution in cell malware capabilities, demonstrating how risk actors are constantly adapting their techniques to bypass detection mechanisms.
Konfety Android Malware on Google Play
The Konfety malware household first emerged as a part of a large cell promoting fraud marketing campaign that was initially disrupted by safety researchers in 2024.
The unique operation concerned greater than 250 decoy functions on Google Play Retailer, every paired with malicious “evil twin” counterparts distributed by third-party channels.
At its peak, the marketing campaign generated an astounding 10 billion fraudulent advert requests per day, highlighting the dimensions and monetary impression of this subtle operation.
The malware derives its title from the Russian phrase for “sweet,” referencing its abuse of the CaramelAds cell promoting software program growth package (SDK).
The risk actors behind Konfety demonstrated outstanding innovation by making a dual-app ecosystem the place legitimate-looking decoy functions on official app shops offered cowl for malicious variants distributed by different channels.
New Evasion Methods: ZIP-Degree Manipulation
The most recent Konfety variant represents a major development in anti-analysis strategies, particularly focusing on the instruments utilized by safety researchers to look at Android functions.
The malware employs a number of subtle ZIP-level manipulation techniques designed to interrupt frequent evaluation instruments and complicate reverse engineering efforts.
One of the progressive evasion strategies entails manipulating the Basic Goal Flag throughout the APK’s ZIP construction.
The malware units bit 00 of the Basic Goal Flags to point that the APK is encrypted, although the file will not be truly encrypted. This false flag causes evaluation instruments to incorrectly establish the APK as password-protected and subsequently request a password for decompression.
This system successfully blocks safety instruments from extracting recordsdata by triggering password prompts, stopping deeper inspection of the malware’s code and performance. The manipulation operates at a elementary stage, exploiting how ZIP parsers deal with file headers and metadata.
The second main evasion method entails declaring an unsupported compression technique within the AndroidManifest.xml file. Particularly, the malware declares the BZIP compression technique (0x000C) for crucial recordsdata, regardless of not truly utilizing this compression algorithm.
This discrepancy causes evaluation instruments like APKTool and JADX to crash completely when making an attempt to course of the file, as they encounter an sudden compression technique they can not deal with.
The great thing about this method lies in Android’s resilient dealing with of such anomalies. When the Android working system encounters an unsupported compression kind, it quietly falls again to treating the file as if it had been merely saved, permitting the set up course of to proceed with out disruption. This ensures system stability whereas concurrently defeating safety evaluation instruments.
Dynamic Code Loading and Obfuscation
Past ZIP-level manipulation, the brand new Konfety variant employs subtle dynamic code loading strategies to hide its malicious performance. The malware consists of a number of layers of obfuscation particularly designed to hinder each static and dynamic evaluation approaches.
The malware makes use of dynamic code loading by embedding extra executable code inside encrypted property bundled contained in the APK. This encrypted file comprises a secondary DEX (Dalvik Executable) file that is still utterly hidden throughout commonplace APK inspection procedures.
The encryption ensures that the malicious payload will not be instantly seen to safety researchers or automated evaluation techniques.
Upon execution, the appliance decrypts and masses this hidden DEX file into reminiscence, enabling it to execute extra malicious logic that was utterly hid throughout set up.
This runtime decryption and loading course of permits the malware to keep up a benign look whereas harboring subtle assault capabilities.
The hidden DEX file comprises a number of software elements, together with actions, companies, and receivers which are declared within the AndroidManifest.xml however are conspicuously lacking from the first APK codebase.
This deliberate inconsistency serves as each an evasion method and a detection set off for safety researchers who discover the discrepancy between declared and carried out elements.
Most importantly, the hid code features a particular service associated to the CaramelAds SDK, which earlier Konfety campaigns closely exploited for large-scale advert fraud operations.
Whereas the CaramelAds SDK will not be inherently malicious, risk actors have constantly exploited it to silently fetch and render commercials, sideload extra payloads, and preserve communication with distant command-and-control servers.
The Konfety malware maintains a classy command-and-control infrastructure that has developed considerably for the reason that authentic marketing campaign. Evaluation of the malware’s community communications reveals a multi-stage course of designed to evade detection and maximize fraudulent income technology.
Upon set up, the malware presents customers with a Person Settlement pop-up, a attribute characteristic that hyperlinks the present variant to earlier Konfety campaigns. After customers settle for this settlement, the malware establishes contact with its command-and-control infrastructure by a fastidiously orchestrated sequence of community requests.
The preliminary communication begins with the malware opening a browser occasion and connecting to hxxp://push.razkondronging.com/register?uid=XXXXXX. This area represents the present iteration of the marketing campaign’s command-and-control infrastructure, changing beforehand reported endpoints. The connection then redirects by a number of middleman web sites earlier than reaching its ultimate vacation spot.
One of the efficient stealth strategies employed by the malware entails hiding its software icon and failing to show any recognizable app title.
This method makes it extraordinarily tough for customers to establish and take away the malicious software by standard means, because it doesn’t seem in typical software lists or launchers.
The malware achieves this concealment by manipulating Android’s software administration techniques, guaranteeing that whereas the appliance stays useful and continues executing its malicious payload, it maintains an invisible presence on the contaminated gadget.
By monitoring software habits patterns, community communications, and system interactions, behavioral detection techniques can establish malicious exercise no matter code obfuscation or file format manipulation.
The important thing to efficient behavioral detection lies in understanding the malware’s operational patterns, together with its community communication sequences, file system interactions, and makes an attempt to determine persistence.
The most recent Konfety Android malware variant represents a major development in cell risk sophistication, demonstrating how risk actors constantly evolve their strategies to bypass safety measures.
The malware’s progressive use of ZIP-level manipulation, dynamic code loading, and stealth mechanisms creates a formidable problem for conventional safety evaluation approaches.
Examine stay malware habits, hint each step of an assault, and make quicker, smarter safety choices -> Strive ANY.RUN now
