Zimperium’s zLabs security research team has identified a new variant of the Konfety Android malware, which employs advanced evasion techniques to bypass security analysis tools while executing fraudulent advertising operations globally. The Konfety malware family, first recognized during a mobile advertising fraud campaign in 2024, initially involved over 250 decoy applications on the Google Play Store and was responsible for 10 billion fraudulent ad requests daily. The malware uses sophisticated ZIP-level manipulation tactics to disrupt analysis tools, including misleading the General Purpose Flag within the APK’s ZIP structure to trigger password prompts and declaring an unsupported compression method in the AndroidManifest.xml file to crash analysis tools. Additionally, it utilizes dynamic code loading and obfuscation to hide malicious functionality, embedding executable code within encrypted assets and maintaining a benign appearance during installation. The malware has developed a command-and-control infrastructure that initiates contact through a sequence of network requests after user agreement acceptance. It also employs stealth techniques to conceal its application icon and name, complicating user identification and removal. Behavioral detection systems can identify malicious activity by monitoring application behavior patterns and network communications.