Security researchers from zLabs have unveiled a sophisticated iteration of the Konfety Android malware, which employs intricate ZIP-level modifications to elude detection and imitate legitimate applications found on the Google Play Store. This development signifies a notable escalation in the landscape of mobile security threats.
The Konfety malware adopts an “evil-twin” strategy, where malicious versions distributed via third-party platforms share identical package names with harmless apps available in official stores. This tactic significantly enhances its stealth and deceptive capabilities.
Advanced Evasion Tactics
By manipulating the APK’s ZIP structure—such as activating the general purpose flag (bit 00) to falsely indicate encryption and declaring an unsupported BZIP compression method (0x000C) for critical files like AndroidManifest.xml—Konfety disrupts standard reverse engineering tools.
These modifications lead utilities like APKTool and JADX to either request non-existent passwords or crash entirely, hindering extraction and analysis efforts.
Interestingly, Android’s installation process adeptly manages these malformed packages by treating files as stored rather than compressed, allowing for seamless deployment without raising alarms for users or the system.
The malware’s versatility is further highlighted by its dynamic code loading mechanism, wherein encrypted assets concealed within the APK hide a secondary Dalvik Executable (DEX) file. This hidden DEX, decrypted and executed only at runtime, contains undeclared components such as activities, services, and receivers referenced in the manifest but absent from the primary codebase.
This obfuscation technique not only protects malicious logic during static scans but also integrates with the CaramelAds SDK to facilitate ad fraud operations. Although the SDK itself is benign, Konfety exploits it to retrieve advertisements, sideload payloads, and maintain covert communications with attacker-controlled servers, all while mimicking legitimate app behaviors through geofencing and icon concealment.
User Exploitation Revealed
Analysis has confirmed Konfety’s connections to previous campaigns, including those reported by Human, through distinctive markers such as a User Agreement popup and a regular expression pattern (@injseq) embedded in the code.
Decoy applications on the Play Store, which bear the same package names but lack any malicious functionality, serve as ideal camouflage, allowing the malware to blend seamlessly without replicating genuine features.
Upon execution, Konfety redirects users to fraudulent websites via browser instances, initiating connections to domains like hxxp://push.razkondronging.com/register?uid=XXXXXX, which cascade through redirects to sites that coerce the installation of unauthorized apps or enable persistent browser notifications.
This results in spam-like alerts and unwanted app sideloads, severely compromising user privacy and device integrity.
The threat actors behind Konfety exhibit remarkable adaptability, frequently updating targeted ad networks and evasion techniques to stay ahead of detection systems. By merging ZIP tampering with runtime decryption and deceptive manifest declarations, Konfety highlights the increasing sophistication of Android malware, presenting significant challenges for security professionals and underscoring the necessity for advanced analytical tools capable of withstanding such low-level manipulations.
Users are encouraged to carefully scrutinize app sources, enable Play Protect, and monitor for unusual network activity to mitigate risks associated with this persistent threat.
Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.
