We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

evasion techniques

Threat Actors Blend Click Fraud Apps and Malware to Steal Android Credentials
AppWizard
July 23, 2025

Threat Actors Blend Click Fraud Apps and Malware to Steal Android Credentials

Security researchers at Trustwave SpiderLabs have identified a complex cluster of Android malware that combines click fraud, credential theft, and brand impersonation. This malware exploits the Android Package Kit (APK) file format to distribute malicious applications, often through phishing messages or deceptive websites. Users are tricked into installing these APKs, which are disguised as reputable brands or promotional apps. Once installed, the malware takes advantage of Android's permission model to access sensitive resources, primarily for click fraud and traffic redirection to generate illicit revenue. Some variants engage in data collection and credential harvesting, employing advanced evasion tactics to avoid detection, such as using counterfeit Chrome applications and overlay screens. A notable variant includes a spoofed Facebook app that mimics the official interface and connects to a remote command-and-control server for instructions. The malware uses encryption and encoding to secure data exchanges and employs open-source tools to bypass Android's signature verification. Evidence suggests that the operators may be Chinese-speaking, as indicated by the use of Simplified Chinese in the code and the promotion of related APK campaigns on Chinese-speaking underground forums.
Konfety Android Malware Exploits ZIP Tricks to Masquerade as Legit Apps on Google Play
AppWizard
July 16, 2025

Konfety Android Malware Exploits ZIP Tricks to Masquerade as Legit Apps on Google Play

Security researchers from zLabs have identified a new version of the Konfety Android malware that uses advanced ZIP-level modifications to avoid detection and mimic legitimate apps on the Google Play Store. The malware employs an "evil-twin" strategy, distributing malicious versions with the same package names as harmless apps. It manipulates the APK's ZIP structure to disrupt reverse engineering tools, allowing it to evade analysis. The installation process on Android can handle these malformed packages without raising alarms. Konfety features a dynamic code loading mechanism, hiding a secondary Dalvik Executable (DEX) file that is decrypted at runtime, which contains malicious components. It integrates with the CaramelAds SDK for ad fraud, while disguising its activities through geofencing and icon concealment. The malware has been linked to previous campaigns and uses decoy applications on the Play Store for camouflage. Upon execution, it redirects users to fraudulent websites, leading to unwanted app installations and compromising user privacy. The threat actors behind Konfety continuously update their tactics to evade detection, highlighting the growing sophistication of Android malware. Users are advised to scrutinize app sources and monitor network activity to mitigate risks.
This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam
AppWizard
July 15, 2025

This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam

A new variant of the Konfety malware targets high-end Android devices using sophisticated evasion techniques, including distorted APK files to avoid detection. This version disguises itself as legitimate applications, imitating popular apps on the Google Play Store. It employs an 'evil twin' tactic, emphasizing the need to download software only from trusted publishers and avoiding third-party APKs. The malware can redirect users to harmful websites, install unwanted software, and generate misleading notifications. It displays ads through the CaramelAds SDK and can exfiltrate sensitive data such as installed applications and network configurations. Konfety can conceal its app icon and name, using geofencing to alter behavior based on location, and employs an encrypted DEX file to hide services. To evade analysis, it manipulates APK files to appear encrypted, causing misleading prompts during inspection, and compresses critical files with BZIP, leading to parsing failures. Users are advised to avoid sideloading apps, ensure Google Play Protect is enabled, and consider installing a reputable antivirus to enhance security.
Konfety Android Malware on Google Play Uses ZIP Manipulation to Imitate Legitimate Apps
AppWizard
July 15, 2025

Konfety Android Malware on Google Play Uses ZIP Manipulation to Imitate Legitimate Apps

Zimperium’s zLabs security research team has identified a new variant of the Konfety Android malware, which employs advanced evasion techniques to bypass security analysis tools while executing fraudulent advertising operations globally. The Konfety malware family, first recognized during a mobile advertising fraud campaign in 2024, initially involved over 250 decoy applications on the Google Play Store and was responsible for 10 billion fraudulent ad requests daily. The malware uses sophisticated ZIP-level manipulation tactics to disrupt analysis tools, including misleading the General Purpose Flag within the APK’s ZIP structure to trigger password prompts and declaring an unsupported compression method in the AndroidManifest.xml file to crash analysis tools. Additionally, it utilizes dynamic code loading and obfuscation to hide malicious functionality, embedding executable code within encrypted assets and maintaining a benign appearance during installation. The malware has developed a command-and-control infrastructure that initiates contact through a sequence of network requests after user agreement acceptance. It also employs stealth techniques to conceal its application icon and name, complicating user identification and removal. Behavioral detection systems can identify malicious activity by monitoring application behavior patterns and network communications.
Hackers Abuse Legitimate Inno Setup Installer to Deliver Malware
Tech Optimizer
July 5, 2025

Hackers Abuse Legitimate Inno Setup Installer to Deliver Malware

Cybercriminals are using legitimate software installer frameworks like Inno Setup to distribute malware, taking advantage of its trusted appearance and scripting capabilities. A recent campaign demonstrated how a malicious Inno Setup installer can deliver information-stealing malware, such as RedLine Stealer, through a multi-stage infection process. This process includes evasion techniques like detecting debuggers and sandbox environments, using XOR encryption to obscure strings, and conducting WMI queries to identify malware analysis tools. The installer retrieves a payload from a command-and-control server via a TinyURL link and creates a scheduled task for persistence. The payload employs DLL sideloading to load HijackLoader, which ultimately injects RedLine Stealer into a legitimate process to steal sensitive information. RedLine Stealer uses obfuscation techniques and disables security features in browsers to avoid detection. The Splunk Threat Research Team has developed detection methods focusing on indicators such as unsigned DLL sideloading and suspicious browser behaviors. Indicators of Compromise (IOC): - Malicious Inno Setup Loader Hash 1: 0d5311014c66423261d1069fda108dab33673bd68d697e22adb096db05d851b7 - Malicious Inno Setup Loader Hash 2: 0ee63776197a80de42e164314cea55453aa24d8eabca0b481f778eba7215c160 - Malicious Inno Setup Loader Hash 3: 12876f134bde914fe87b7abb8e6b0727b2ffe9e9334797b7dcbaa1c1ac612ed6 - Malicious Inno Setup Loader Hash 4: 8f55ad8c8dec23576097595d2789c9d53c92a6575e5e53bfbc51699d52d0d30a
Hackers Allegedly Selling Windows Crypter Claims Bypass of All Antiviruses
Tech Optimizer
June 2, 2025

Hackers Allegedly Selling Windows Crypter Claims Bypass of All Antiviruses

Underground cybercriminal forums are seeing an increase in advanced malware tools, including a Windows crypter that claims to bypass major antivirus solutions. This crypter is marketed as fully activated and capable of achieving Full Undetectable (FUD) status against contemporary antivirus engines. It employs advanced obfuscation techniques to evade detection, including code injection methods, entropy manipulation, and anti-debugging features. The tool allows for granular control over obfuscation parameters, enabling customization for specific target environments. The rise of such sophisticated evasion tools poses challenges for traditional endpoint security, making organizations vulnerable if they rely solely on signature-based antivirus solutions. To defend against these threats, organizations should adopt multi-layered security architectures, including behavioral analysis and endpoint detection and response (EDR) solutions.
New Malware Compromise Microsoft Windows Without PE Header
Winsage
May 31, 2025

New Malware Compromise Microsoft Windows Without PE Header

A new strain of malware has been operating undetected on Windows systems for several weeks, utilizing advanced evasion techniques that corrupt its Portable Executable (PE) headers to avoid detection. Security researchers discovered this malware embedded in the memory of a compromised system during an investigation, using a 33GB memory dump that revealed its presence in a dllhost.exe process with process ID 8200. The malware, classified as a Remote Access Trojan (RAT) by Fortinet, employs batch scripts and PowerShell commands for its attack and has capabilities for screenshot capture, remote server functionality, and system service manipulation. Its command and control infrastructure uses encrypted communications, complicating detection efforts. The malware's distinctive feature is the deliberate corruption of DOS and PE headers, which hinders reverse engineering and complicates the reconstruction of the executable from memory dumps. Researchers had to manually locate the malware’s entry point and resolve complex import tables for it to function in a controlled environment.
Authorities Dismantled AVCheck, a Tool For Testing Malware Against Antivirus Detection
Tech Optimizer
May 31, 2025

Authorities Dismantled AVCheck, a Tool For Testing Malware Against Antivirus Detection

Law enforcement agencies from multiple nations dismantled a cybercriminal operation that provided malware testing services to evade antivirus detection. This effort led to the seizure of four domains and their servers, disrupting infrastructure that facilitated ransomware attacks globally. U.S. Attorney Nicholas J. Ganjei announced the disruption of an online software crypting syndicate that helped cybercriminals keep their malware undetected. The seized domains offered counter-antivirus tools and crypting services, allowing criminals to obfuscate malware and gain unauthorized access to systems. Investigators conducted undercover purchases and analyzed services, revealing connections to ransomware groups targeting victims in the U.S. and internationally. The operation, part of Operation Endgame, involved collaboration among the U.S., Netherlands, France, Germany, Denmark, Ukraine, and Portugal, with the FBI Houston Field Office leading the U.S. investigation. The seizures occurred on May 27.
Ongoing cryptomining campaign hits over 1.5K PostgreSQL servers
Tech Optimizer
April 2, 2025

Ongoing cryptomining campaign hits over 1.5K PostgreSQL servers

Over 1,500 PostgreSQL instances exposed to the internet have been targeted by a cryptocurrency mining malware campaign called JINX-0126. Attackers exploit weak credentials to access PostgreSQL servers and use the "COPY ... FROM PROGRAM SQL" command for arbitrary command execution. They deploy a shell script to terminate existing cryptominers and deliver the pg_core binary. A Golang binary, disguised as the PostgreSQL multi-user database server, is then downloaded to establish persistence and escalate privileges, leading to the execution of the latest XMRig cryptominer variant. JINX-0126 employs advanced tactics, including unique hashes for binaries and fileless miner payload execution, to evade detection by cloud workload protection platforms.
Search