AppWizard
July 16, 2025
Security researchers from zLabs have identified a new version of the Konfety Android malware that uses advanced ZIP-level modifications to avoid detection and mimic legitimate apps on the Google Play Store. The malware employs an "evil-twin" strategy, distributing malicious versions with the same package names as harmless apps. It manipulates the APK's ZIP structure to disrupt reverse engineering tools, allowing it to evade analysis. The installation process on Android can handle these malformed packages without raising alarms. Konfety features a dynamic code loading mechanism, hiding a secondary Dalvik Executable (DEX) file that is decrypted at runtime, which contains malicious components. It integrates with the CaramelAds SDK for ad fraud, while disguising its activities through geofencing and icon concealment. The malware has been linked to previous campaigns and uses decoy applications on the Play Store for camouflage. Upon execution, it redirects users to fraudulent websites, leading to unwanted app installations and compromising user privacy. The threat actors behind Konfety continuously update their tactics to evade detection, highlighting the growing sophistication of Android malware. Users are advised to scrutinize app sources and monitor network activity to mitigate risks.
