Sign in Subscribe

Konfety Malware APKs Distorted to Evade Detection

Konfety Malware APKs Distorted to Evade Detection

Security researchers have discovered a new variant of the Android malware Konfety that uses a corrupted ZIP structure and advanced obfuscation techniques to bypass static analysis and evade detection by security tools.

Masquerading as Legitimate Apps

Konfety disguises itself as legitimate Android applications, closely mimicking the look and feel of harmless apps typically found on Google Play. However, these apps offer no real functionality. Instead, once installed, the malware:

  • Redirects users to malicious websites
  • Silently installs unwanted apps
  • Displays fake browser notifications
  • Injects hidden ads via the CaramelAds SDK
  • Collects sensitive device data, including:
    • Installed apps
    • System details
    • Network configuration

Stealthy Payload Delivery via Encrypted DEX

Although not classified as full-fledged spyware or a RAT (Remote Access Trojan), Konfety includes an encrypted DEX (Dalvik Executable) file hidden inside the APK. This auxiliary file is decrypted at runtime, allowing the malware to:

  • Load additional modules dynamically
  • Expand its functionality after installation
  • Add more dangerous capabilities over time

These stealthy mechanics make the malware adaptable and difficult to detect during static scans.

Evasion Techniques: How Konfety Stays Hidden

Researchers at Zimperium have identified several key evasion strategies used by this Konfety variant:

1. Impersonation of Legitimate Apps

  • Clones names and designs of real apps available on Google Play
  • Distributed via third-party app stores, targeting users who:
    • Seek “free” versions of paid apps
    • Try to bypass Google’s Play Protect
    • Use older Android devices or live in regions without Google services

2. Dynamic Code Loading

  • Hides core malware logic in an encrypted DEX file
  • Payload is only activated at runtime, bypassing static analysis

3. APK Structure Manipulation

Konfety corrupts its APK’s ZIP structure to confuse reverse-engineering tools, using techniques such as:

  • Fake Encryption Flags: Sets the General Purpose Bit Flag (bit 0) to indicate the file is encrypted, triggering false password prompts in analysis tools.
  • Unsupported Compression Methods (BZIP): Uses BZIP (0x000C) for critical files, a method not recognized by tools like APKTool or JADX, causing them to crash or fail during analysis.

Despite these manipulations, Android’s package installer ignores the unsupported compression and installs the malware without issue.

Post-Installation Behavior

Once installed, Konfety:

  • Hides its icon and app name from the launcher
  • Uses geofencing to alter behavior depending on the victim’s region

A Familiar Pattern: Comparison to SoumniBot

Researchers compare Konfety’s obfuscation techniques to SoumniBot, a malware strain discovered in April 2024. SoumniBot similarly:

  • Faked compression methods in its AndroidManifest.xml
  • Manipulated file sizes
  • Overloaded static analyzers with excessively long namespace strings

The recurrence of these techniques indicates a growing trend in Android malware evolution, focused on anti-analysis and anti-reversing defenses.

Key Takeaways

  • Konfety disguises itself as legitimate apps, redirecting users, displaying hidden ads, and stealing data
  • Employs encrypted DEX files for dynamic, post-install payload loading
  • Distorts APK structure using fake encryption flags and BZIP compression to hinder analysis
  • Spreads via third-party app stores, targeting users seeking pirated or modified apps
  • Shares advanced obfuscation tactics with malware like SoumniBot, signaling an industry-wide escalation

Security Recommendations

✔ Avoid sideloading APKs from untrusted or unofficial sources
✔ Use Google Play Protect and reputable mobile security apps
✔ Watch for signs of compromise, such as:

  • Hidden app icons
  • Unexpected pop-ups or ads
  • Battery drain or sluggish performance

Read next