Cybersecurity researchers uncovered a sophisticated variant of the Konfety Android malware, which employs an evil twin technique for ad fraud. This involves a benign decoy app on the Google Play Store and a malicious twin sharing the same package name. Threat actors exhibit adaptability by altering ad networks and updating evasion methods. They use malformed APKs to bypass detection and dynamically load payloads, while also utilizing compression methods to confuse analysis tools.
The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection. This latest variant demonstrates their sophistication by specifically tampering with the APK's ZIP structure.
By using malformed APKs, the tactic allows threat actors to sidestep detection and challenge reverse engineering efforts. Besides dynamically loading the main DEX payload at runtime, the newly discovered versions enable the general-purpose bit flag by setting it to 'Bit 0', signaling to the system that the file is encrypted.
The second technique entails falsely declaring the use of BZIP compression method in the app's manifest XML file, causing analysis tools like APKTool and JADX to crash due to a parsing failure.
Collection
[
|
...
]