Basic Cellular Menace with New Evasion Strategies

Govt Abstract

As a part of our ongoing mission to establish rising threats to cell safety, our zLabs crew has been actively monitoring a brand new, subtle variant of a widely known malware beforehand reported by Human. This Android-targeted malware, named Konfety, employs an “evil-twin” technique to conduct fraudulent actions. Notably, two distinct variants of this software share the identical Bundle Identify, a tactic designed to boost its evasiveness and impression:

• Twin-App Deception: Makes use of the identical package deal identify for each a benign app (on official shops) and a malicious model distributed by way of third-party sources.
• ZIP-Degree Evasion: Tampered APK construction (e.g., unsupported compression, faux encryption flags) breaks frequent evaluation instruments and complicates reverse engineering.
• Dynamic Code Loading: Conceals key performance in encrypted belongings which can be solely decrypted and executed at runtime.
• Stealth Strategies: Hides app icon, mimics authentic apps, and applies geofencing to regulate habits by area.
• Advert Fraud Infrastructure: Leverages CaramelAds SDK to fetch advertisements, ship payloads, and preserve communication with attacker-controlled servers.
• Consumer Affect: Redirects customers to malicious web sites, prompts undesirable app installs, and triggers persistent spam-like browser notifications.

The risk actors behind Konfety are extremely adaptable, constantly altering their focused advert networks and updating their strategies to evade detection. This newest variant demonstrates their sophistication by particularly tampering with the APK’s ZIP construction. This tactic is designed to bypass safety checks and considerably complicate reverse engineering efforts, making detection and evaluation tougher for safety professionals.

Evasion by way of Malformed ZIP Packaging

Malware builders are continually refining their ways. Past merely including new functionalities, they’re adopting more and more superior methods to evade detection and hinder reverse engineering efforts. The newly found variants, for example, implement the next subtle tips:

• Normal Function Flag Enabled: The APK incorporates the bit 00 of the Normal Function Flags enabled. This causes some instruments to incorrectly establish the APK (ZIP) as encrypted and subsequently request a password for decompression.
• Unsupported Compression Technique (BZIP – 0x000C): The AndroidManifest.xml of those samples declared the BZIP compression technique. Nevertheless, the file will not be really compressed utilizing this algorithm. This discrepancy resulted in partial decompression for decompression instruments and invalid file parsing for evaluation instruments.

These ZIP manipulations function at a decrease stage, particularly concentrating on the instruments used to investigate the APK in numerous methods. As an illustration, the preliminary method prevents these instruments from extracting information by triggering a password immediate (Fig.2), successfully blocking entry.

In different cases, these manipulations trigger evaluation instruments like APKTool or JADX to crash fully, stopping any deeper inspection, as illustrated in Fig.3.

If it encounters an unsupported compression sort, equivalent to BZIP, Android quietly falls again to treating the file as if it had been merely saved. This permits the set up course of to proceed with out crashing, making certain system stability even when encountering uncommon file codecs.

The Konfety Malware Evaluation

Much like earlier variants, these samples additionally incorporate a number of layers of obfuscation particularly designed to hinder detection and complicate each static and dynamic evaluation.

One of many key methods employed is dynamic code loading, the place extra executable code is loaded at runtime from an encrypted asset bundled throughout the APK (Fig.4). This encrypted file incorporates a secondary DEX (Dalvik Executable) file, which isn’t instantly seen throughout an ordinary inspection of the APK.

This technique permits the malware to hide crucial performance through the preliminary scan or reverse engineering makes an attempt. Upon execution, the appliance decrypts and hundreds this DEX file into reminiscence, enabling it to execute extra malicious logic that’s utterly hidden throughout set up and superficial evaluation.

The hidden DEX file incorporates a number of of the app elements (actions, companies, and receivers) that had been declared within the AndroidManifest.xml however lacking from the first APK codebase. This inconsistency instantly raised a purple flag throughout our evaluation and prompted deeper investigation.

The presence of those hidden elements allowed us to conclusively hyperlink the pattern to the Konfety malware household. Contained in the hid code was a selected service associated to the CaramelAds SDK, which earlier Konfety campaigns closely abused for large-scale advert fraud operations. Whereas this SDK is not inherently malicious, risk actors are recognized to take advantage of it to silently fetch and render advertisements, sideload extra payloads, and talk with distant servers, all with out the person’s information. This multi-layered obfuscation method, combining encrypted belongings, runtime code injection, and misleading manifest declarations, demonstrates the evolving sophistication of the Konfety operation and its steady efforts to evade evaluation and bypass detection mechanisms.

Additional indicators linking the present malware to the sooner marketing campaign found by Human embody the looks of a Consumer Settlement popup (Fig.5) and the presence of a selected common expression throughout the code. This expression searches for the sample @injseq, which was additionally utilized in earlier variations (Fig.6). 

Decoy Utility

Additional affirmation got here with the invention of a number of decoy purposes on the Play Retailer that shared the identical actual package deal identify because the malicious counterpart, though these decoys should not linked to the marketing campaign itself. The malware merely mimics the authentic app’s package deal identify however doesn’t replicate its performance. In actual fact, it hides its icon and doesn’t show any app identify, emphasizing its stealthy intent (Fig.7).

Community Site visitors Evaluation

By way of dynamic evaluation, we efficiently intercepted the community communications between the malware and its server. Initially, after the person accepts the Consumer Settlement, the malware opens a browser occasion, establishing a connection to hxxp://push.razkondronging.com/register?uid=XXXXXX. This then redirects by means of a number of different web sites. The ultimate vacation spot web site employs misleading ways to trick the sufferer into both putting in extra purposes from exterior official App Shops or accepting a browser notification immediate. As soon as authorised, results in a flood of persistent and undesirable notifications (Fig. 8).

Zimperium vs Konfety Malware

Zimperium’s on-device Cellular Menace Protection (MTD) answer and zDefend prospects are totally protected towards the Konfety malware. Our superior detection capabilities establish and mitigate the brand new evasion methods employed by this risk. By repeatedly monitoring and adapting to evolving risk landscapes, Zimperium ensures complete safety for cell units towards subtle malware like Konfety.

MITRE ATT&CK Strategies

To assist our prospects and the trade perceive the impression of this malware, Zimperium has compiled the next desk containing the MITRE Ways and Strategies as reference. 

Indicators of compromise (IOCs)

The indications of compromise of this marketing campaign could be present in this repository.