Konfety Returns: Evasive Android Malware Using Malformed APKs

Konfety Malware Overview

The Konfety malware has resurfaced with advanced evasion techniques designed to target Android devices, complicating detection for security professionals. This malware utilizes an “evil-twin” method, where it creates two variants of an application with the same package name—one benign and the other malicious. Key tactics include dual-app deception, ZIP-level evasion, dynamic code loading, stealth techniques, and ad fraud infrastructure.

Image courtesy of Zimperium

Evasion Techniques

The Konfety malware employs sophisticated methods to evade detection. Notably, it uses:

• General Purpose Flag: Setting the General Purpose Flag to indicate encryption, misleading analysis tools into requesting a password for decompression.
• Unsupported Compression Method: Declaring a BZIP compression method in the AndroidManifest.xml, which is not actually used, causing analysis tools to parse the file incorrectly.

Image courtesy of Zimperium

These techniques effectively block access to the APK’s contents and hinder deeper inspection by causing analysis tools to crash.

Dynamic Code Loading

Konfety utilizes dynamic code loading, where critical functionality is concealed in an encrypted DEX file. This file is decrypted and executed at runtime, allowing the malware to hide its operations from initial scans.

Image courtesy of Zimperium

The hidden DEX file contains essential app components, which were not visible during a standard APK inspection, raising flags during analysis.

User Impact and Network Behavior

The malware redirects users to malicious sites, prompting unwanted app installations and triggering persistent spam notifications. Network analysis of Konfety reveals that after the User Agreement is accepted, it opens browser instances that connect to attacker-controlled servers.

Image courtesy of Zimperium

Zimperium's Defense Against Konfety

Zimperium offers robust protection against Konfety through its Mobile Threat Defense (MTD) solution. This on-device technology continuously monitors and adapts to evolving threats, ensuring comprehensive protection for mobile devices.

MITRE ATT&CK Techniques

Zimperium has mapped the Konfety malware to specific MITRE ATT&CK techniques for better understanding and defense:

• Persistence: Event Triggered Execution using Broadcast Receivers.
• Defense Evasion: Masquerading by matching legitimate app names.
• Discovery: Gathering information about installed applications and network configuration.

Indicators of Compromise (IOCs)

Indicators of compromise for this malware can be found in the Zimperium repository.

Conclusion

Zimperium's advanced detection capabilities ensure that customers are protected against the sophisticated techniques employed by Konfety malware. For more information or to explore our services, visit Gopher Security.