A new version of konfety android malware emerged with other obfuscation methods with a distorted zip structure that allows it to analyze and detect it.
Konfety is in the form of a valid app, which mimics the spontaneous products available on Google Play, but does not facilitate any promised functionality.
Malware capabilities include redirecting users to malicious sites, pushing unwanted app installs and fake browser notifications.
Instead, it receives and presents hidden advertisements using carmelads SDK and exfiltrates information such as installed apps, network configurations and system information.
Source: Zimperium
Although konfety is not a spyware or rat tool, it includes an encrypted secondary dex file inside the APK, which is decryp and loaded at Runtime, which consists of hidden services declared in the Androidmanifest file.
This dynamically leaves the door open to install additional modules, thus allowing the distribution of more dangerous capabilities on current transitions.
Scatter
Researchers on mobile safety platform Discover zimperium And analyzed the latest Konfety version and reports that malware uses several methods to disrupt its true nature and activity.
Konfety tricks are available to the victims by copying the name of valid application and branding to the victims by copying it on Google Play and is distributed through the third -Paksha store – a strategy that is on researchers Human is called “Evil Twin” Or “decoy twin.”
Malware operators are promoting it on the third-party app store.
These marketplaces are often where users seek the “free” variant of the premium apps as they want to avoid Google tracking, there is an Android device that is no longer supported, or not access to Google services.
Dynamic code loading, where malicious argument is hidden in an encrypted dex file that is loaded on runtime, is another effective obscuration and theft mechanism that employs the corn.
Another unusual anti-analysis strategy in Konfety is to manipulate the APK files in a way that confuses or breaks the static analysis and reverse engineering tools.
First, APK sets the general purpose bit flag on ‘bit 0’, indicating that the file is encrypted, even if it is not. This triggers wrong passwords when inspecting the file, tries to block or delay access to APK content.
Secondly, important files in APK are declared using BZIP compression (0x000C), which is not supported by analysis equipment such as APKTOOL and JADX, resulting in parsing failure.
Source: Zimperium
Meanwhile, Android ignores the declared method and returns to default processing to maintain stability, allowing malicious app to install and run on the device without any problem.
After installation, Konfety hides its app icon and uses geoofinging to change behavior according to the name and the area of the victim.
The past has seen compression-based obfuscation in Android Malware, as highlighted in a kaspersky report on Soumnibot malware since April 2024.
In that case, Soumnibot declared an invalid compression method in androidmanifest.xml, announced a fake file size and data overlay, and confused analysis equipment with very large name location string.
It is usually recommended to avoid installing APK files from the third-party Android app store and only has trust software from publishers you know.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
