A new variant of the Konfety malware for Android was recently discovered, which uses APK files with a malformed ZIP structure and fairly sophisticated obfuscation techniques. The goal? To go undetected by antivirus and security analysis tools.
This malware disguises itself as legitimate applications, copying the appearance of popular apps that you might find on Google Play. However, once installed, it does not do anything it promises.
Instead of offering the advertised features, Konfety redirects users to malicious sites, displays fake browser notifications, and promotes the installation of other unwanted applications. In addition, in the background, it leverages the CaramelAds SDK to retrieve and display hidden ads, all without the user's knowledge.
But that's not all: it also collects device data, such as the apps you have installed, network settings, and system details. All of this without asking for your permission.
Unwanted ads and redirects triggered by Konfety (Source: Zimperium)
Although Konfety is not spyware or a remote access Trojan (RAT) as such, it does come with a well-thought-out trap. Inside the APK file is a second encrypted DEX file that unlocks and runs while the app is running. This file contains hidden services that are already declared in the AndroidManifest, but which go unnoticed at first.
So what does this mean? Basically, it leaves open the possibility of installing additional modules in real time, allowing the malware to update itself and become even more dangerous over time. This technique means that an initially “light” infection can quickly escalate with new malicious functions without the user noticing.
Read more: Anatsa Malware infiltrates Google Play and Attacks Banks in the US.
How does Konfety evade detection? Increasingly sophisticated tactics
Researchers at Zimperium, a platform specializing in mobile security, thoroughly analyzed the latest variant of Konfety and discovered that this malware uses multiple advanced techniques to hide its actual behavior and evade detection mechanisms.
It masquerades as legitimate apps
Konfety deceives users by posing as well-known Google Play apps. It copies the name, icons, and even the aesthetics of popular apps, and then distributes itself through third-party app stores. This tactic has been dubbed an “evil twin” or “decoy twin.”
The goal is simple: to get the user to download the app without suspecting anything. These types of alternative stores tend to attract people looking for “free” versions of premium apps, who avoid Google services, or who use older Android devices that are no longer compatible with Google Play.
Konfety also employs a technique called dynamic code loading, where the malicious part is not active from the start. Instead, the harmful code is hidden inside an encrypted DEX file, which is decrypted and executed only when the app is already running. This makes it much more difficult to detect using static analysis or automated tools.
Manipulating the APK to confuse analysts
One of Konfety's most creative tactics is how it manipulates the APK file itself to break or confuse analysis tools. Here are two examples that researchers highlighted:
-
Deception with encrypted files: The APK file sets a “general purpose bit” indicating that it is encrypted... when in fact it is not. This causes some tools to request a fake password, making it difficult or impossible to access the actual content of the file.
-
Compression with BZIP: It also declares some key APK files using the BZIP compression format, which is not compatible with tools such as APKTool or JADX. As a result, these tools fail when trying to break down the app for analysis.
Interestingly, although these techniques confuse analysts, Android has no problem running the APK. When it detects an unsupported compression method, the system simply ignores the declaration and processes the file by default, allowing the malicious app to run without visible errors.
Analysis tools crash when attempting to analyze the malicious APK
Once installed, Konfety hides its presence by removing its icon and name from the app menu. It also uses geofencing techniques, which means it adapts its behavior based on the user's geographic location. This can include activating malicious functions only in certain regions, which also makes it difficult to detect globally.
This compression-based obfuscation strategy has been seen before. In April 2024, Kaspersky documented a similar tactic used by the SoumniBot malware. In that case, the attackers:
-
Declared invalid compression methods in the AndroidManifest.xml file
-
Manipulated file sizes and used fake data
-
Inserted overly large namespace strings to confuse analyzers
All with the same goal: to keep the malware undetected for as long as possible.
Read more: What is dwell time in cybersecurity?
Recommendations for protecting your device
Given these increasingly complex techniques, we recommend the following:
-
Avoid downloading APKs from unofficial stores: Most Konfety infections come from these sources.
-
Only download apps from verified developers: Make sure the app comes from a trusted source and check other users' reviews.
-
Keep your operating system and apps up to date: Updates often fix vulnerabilities that malware exploits.
-
Install a reliable mobile security solution: Although not all of them can detect malware like Konfety, the most advanced ones constantly update their databases and offer extra layers of protection.
