.jpg?w=696&resize=696,0&ssl=1 "Konfety Android Malware")
Security researchers at Zimperium’s zLabs have uncovered a sophisticated new variant of the Konfety Android malware that employs advanced ZIP-level manipulation techniques to evade detection and complicate reverse engineering efforts.
This latest campaign demonstrates how threat actors are evolving beyond traditional obfuscation methods, targeting the very tools security professionals use to analyze malicious applications.
The malware operates using an “evil-twin” strategy, where cybercriminals create both legitimate applications on official app stores and malicious versions distributed through third-party sources, both of which share identical package names.
This dual-app deception allows the malware to masquerade as trustworthy software while conducting fraudulent activities in the background.
Advanced ZIP Manipulation Breaks Analysis Tools
The most notable innovation in this Konfety variant involves sophisticated tampering with the APK’s ZIP structure at the compression level.
Security researchers discovered that the malware enables the General Purpose Flag bit 00, causing analysis tools to incorrectly identify the APK as encrypted and prompt for a password during decompression attempts, effectively blocking access to the malicious code.
Additionally, the AndroidManifest.xml file declares the unsupported BZIP compression method (0x000C) while the file remains uncompressed.
This discrepancy causes popular analysis tools, such as APKTool and JADX, to crash entirely or produce partial decompression results, preventing a deeper inspection.
Android’s flexible architecture allows installation to proceed by quietly falling back to treating the file as stored rather than compressed, ensuring the malware remains functional despite the technical inconsistencies.
Dynamic Code Loading and Ad Fraud Operations
Beyond ZIP manipulation, Konfety employs dynamic code loading to conceal critical functionality within encrypted assets.
The malware loads a secondary DEX file at runtime that contains missing app components declared in the AndroidManifest.xml but not present in the primary codebase.
This hidden code includes services related to the CaramelAds SDK, which the malware exploits for large-scale ad fraud operations.
The malware demonstrates sophisticated behavioral adaptations, including geofencing capabilities that adjust its actions based on the victim’s geographic location.
When detecting European Union mobile user agents, it redirects victims to suspicious websites; otherwise, it redirects them to legitimate sites, such as Google.com.
The application also suppresses its icon and mimics legitimate app names to maintain stealth.
Network analysis revealed that after users accept a deceptive User Agreement pop-up, the malware opens browser instances that connect to malicious domains, eventually flooding victims with persistent, unwanted notifications or tricking them into installing additional malicious applications from unofficial sources.
Zimperium’s Mobile Threat Defense solution provides comprehensive protection against these evolving Konfety variants, demonstrating the critical importance of advanced mobile security solutions that can detect sophisticated evasion techniques targeting both users and security analysis tools.
.jpg?resize=1600,900&ssl=1&description=Konfety Android Malware - Security researchers at Zimperium's zLabs have uncovered a sophisticated new variant of the Konfety Android malware){kind=link}