Zimperium’s zLabs security research team has unveiled a new variant of the Konfety Android malware, showcasing an impressive leap in sophistication. This iteration employs advanced evasion techniques that allow it to slip past security analysis tools while executing fraudulent advertising operations on a global scale.
Konfety Android Malware on Google Play
The Konfety malware family first made its mark during a massive mobile advertising fraud campaign that was disrupted by security researchers in 2024. Initially, the operation involved over 250 decoy applications available on the Google Play Store, cleverly paired with malicious “evil twin” counterparts distributed through third-party channels. At its zenith, the campaign was responsible for an astonishing 10 billion fraudulent ad requests daily, underscoring the scale and financial ramifications of this intricate operation.
The malware’s name, derived from the Russian word for “candy,” reflects its exploitation of the CaramelAds mobile advertising software development kit (SDK). The architects behind Konfety exhibited remarkable ingenuity by crafting a dual-app ecosystem, wherein seemingly legitimate applications on official app stores provided a façade for the malicious variants lurking in alternative distribution channels.
New Evasion Techniques: ZIP-Level Manipulation
This latest variant of Konfety marks a significant advancement in anti-analysis techniques, specifically targeting the tools utilized by security researchers to scrutinize Android applications. The malware employs sophisticated ZIP-level manipulation tactics designed to disrupt common analysis tools and complicate reverse engineering efforts.
One of the most innovative evasion strategies involves manipulating the General Purpose Flag within the APK’s ZIP structure. By setting bit 00 of the General Purpose Flags to indicate that the APK is encrypted—despite it not being encrypted—the malware misleads analysis tools into treating the APK as password-protected. This false flag triggers password prompts, effectively blocking security tools from extracting files and preventing deeper inspection of the malware’s code and functionality.
Another notable evasion technique involves declaring an unsupported compression method in the AndroidManifest.xml file. The malware specifies the BZIP compression method (0x000C) for critical files, despite not actually employing this algorithm. This discrepancy causes analysis tools like APKTool and JADX to crash when attempting to process the file, as they encounter an unexpected compression method they cannot manage. Interestingly, Android’s resilient handling of such anomalies allows the installation process to proceed without disruption, further complicating detection efforts.
Dynamic Code Loading and Obfuscation
In addition to ZIP-level manipulation, the new Konfety variant employs dynamic code loading techniques to obscure its malicious functionality. The malware incorporates multiple layers of obfuscation specifically designed to thwart both static and dynamic analysis approaches.
By embedding additional executable code within encrypted assets bundled inside the APK, the malware utilizes dynamic code loading. This encrypted file contains a secondary DEX (Dalvik Executable) file that remains hidden during standard APK inspections. Upon execution, the application decrypts and loads this concealed DEX file into memory, enabling the execution of additional malicious logic that was previously undetectable during installation.
This runtime decryption and loading process allows the malware to maintain a benign appearance while concealing sophisticated attack capabilities. The hidden DEX file comprises several application components, including activities, services, and receivers declared in the AndroidManifest.xml but conspicuously absent from the primary APK codebase. This inconsistency serves as both an evasion technique and a potential detection trigger for security researchers.
Most notably, the concealed code includes a specific service related to the CaramelAds SDK, which previous Konfety campaigns heavily exploited for large-scale ad fraud operations. While the CaramelAds SDK itself is not inherently malicious, threat actors have consistently leveraged it to silently fetch and render advertisements, sideload additional payloads, and maintain communication with remote command-and-control servers.
The Konfety malware has developed a sophisticated command-and-control infrastructure that has evolved significantly since the original campaign. Analysis of the malware’s network communications reveals a multi-stage process designed to evade detection while maximizing fraudulent revenue generation. Upon installation, users are presented with a User Agreement pop-up—a characteristic feature linking the current variant to earlier Konfety campaigns. After users accept this agreement, the malware initiates contact with its command-and-control infrastructure through a carefully orchestrated sequence of network requests.
The initial communication begins with the malware opening a browser instance and connecting to hxxp://push.razkondronging.com/register?uid=XXXXXX, marking the current iteration of the campaign’s command-and-control infrastructure. This connection is then redirected through several intermediary websites before reaching its final destination.
One of the most effective stealth techniques employed by the malware involves concealing its application icon and failing to display any recognizable app name. This strategy complicates user identification and removal of the malicious application through conventional means, as it does not appear in typical application lists or launchers. The malware achieves this concealment by manipulating Android’s application management systems, ensuring that while the application remains functional and continues executing its malicious payload, it maintains an invisible presence on the infected device.
By closely monitoring application behavior patterns, network communications, and system interactions, behavioral detection systems can identify malicious activity, regardless of code obfuscation or file format manipulation. The key to effective behavioral detection lies in understanding the malware’s operational patterns, including its network communication sequences, file system interactions, and attempts to establish persistence.
The latest Konfety Android malware variant exemplifies a significant advancement in mobile threat sophistication, illustrating how threat actors continuously refine their techniques to bypass security measures. Its innovative use of ZIP-level manipulation, dynamic code loading, and stealth mechanisms presents a formidable challenge for traditional security analysis approaches.
