Zimperium zLabs researchers are closely tracking an evolving threat, noting its use of “evil-twin” tactics and duplicate package names to mimic legitimate Google Play apps. This clever masquerade allows Konfety to bypass standard security scans and trick users into installing seemingly harmless applications. Its core evasion strategy relies on subtly corrupted ZIP files, which exploit vulnerabilities in analysis tools. By enabling a misleading flag and falsely declaring an unsupported BZIP compression, the malware causes tools to incorrectly identify the APK as encrypted or leads to partial decompression and invalid file parsing. Android, however, gracefully handles these malformed files, allowing the app to install without issue.
Furthermore, Konfety employs advanced obfuscation, dynamically loading hidden, encrypted code at runtime.
This secondary DEX file, not visible during standard inspections, contains critical components declared in the app’s manifest but missing from the main code. This sophisticated technique ensures that key malicious functionalities remain concealed from static analysis, only becoming active once the app is running.
These hidden components are linked to Konfety’s history of leveraging the CaramelAds SDK for ad fraud. This enables the malware to silently execute ads, install additional payloads, and communicate with remote servers without the user’s knowledge or consent. Further indicators, such as a user agreement popup and a specific regular expression (@injseq) found in the code, reinforce its connection to previous Konfety campaigns.
Ultimately, Konfety’s deceptive tactics aim to trick users into accepting a user agreement upon launch, subsequently redirecting them through multiple sites to install unauthorized applications or enable intrusive browser notifications. By maintaining identical package names as legitimate Play Store apps but lacking their advertised features, and by hiding its icon and app name, Konfety remains a persistent and stealthy threat within the Android ecosystem.
Reference:
