This dangerous new Android malware looks to hide from detection with
distorted APKs
Date:
Wed, 16 Jul 2025 14:00:00 +0000
Description:
Distorted APKs make analysis and reverse engineering almost impossible, experts warn.
FULL STORY ======================================================================zLabs spots new version of the Konfety Android malware This version uses distorted APKs to avoid being detected and analyzed It also uses the "evil twin" tactic to remain hidden in plain sight
The infamous Konfety Android malware has apparently been updated, with new versions hiding in plain sight through tampered APK structure, experts have warned.
Security researchers zLabs have found new Konfety variants were adopting increasingly advanced techniques to evade detection and hinder reverse engineering efforts.
In ZIP files (which APKs are based on), every file includes a so-called General Purpose Bit Flag, a two-byte field that stores metadata about how the file should be handled (either 0 or 1). One of the bits in the flag indicates if the file is encrypted or not.
Norton 360 with Genie
Todays cyberthreats are more sophisticated and scams are harder to detect. Thats why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech
for advanced threats starting at $29.99 the first year. View Deal Evil twins and dual-app deception
In Konfetys case, the attackers intentionally set bit 0 to 1, even though the file wasnt actually encrypted, causing decompression tools to misinterpret
the files, analysis tools to crash thinking it was unreadable or corrupted, and reverse engineers to waste time troubleshooting.
But thats not all. Each file entry in a ZIP archive also includes a compression method identifier (0x000 for no compression, 0x000C for an uncommon compression standard, etc.)
With Konfety, the attackers managed to declare files compressed using 0x000C, which wasnt really the case. Since the files cant decompress properly, it leads to partial extraction, parsing errors, or even crashes, which complicates reverse-engineering and analysis.
There are other ways Konfety tries to hide and maintain persistence. zLabs said that the attackers are also using so-called dual-app deception, in which theres a legitimate app on major app stores, and a malicious one elsewhere.
The app also hides its icon when installed, and applies geofencing to make sure certain analysts and researchers cant get to it.
Konfety works by using CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. It redirects users
to malicious websites, prompts unwanted app installs, and triggers persistent spam-like browser notifications.
The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection, the researchers warned.
This latest variant demonstrates their sophistication by specifically tampering with the APK's ZIP structure. This tactic is designed to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.
Via BleepingComputer You might also like This dangerous new malware is hitting iOS and Android phones alike - and it's even stealing photos and crypto Take a look at our guide to the best authenticator app We've rounded
up the best password managers
======================================================================
Link to news story:
https://www.techradar.com/pro/security/this-dangerous-new-android-malware-look s-to-hide-from-detection-with-distorted-apks
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)