- ZLABS discover new version of Confety Android Malware
- This version uses distorted APKs to avoid being discovered and analyzed
- It also uses the “evil twin” tactic to remain hidden in sight
The notorious confidence Android malware has apparently been updated, with new versions stored in ordinary vision through manipulated APK structure, experts have warned.
Security researchers Zlabs have found new confidence variants adopted “increasingly advanced” techniques to avoid detection and prevent reverse engineering efforts.
In ZIP files (on which APKs are based), each file includes a so-called bit flag for general purposes, a two-byte field that stores metadata on how to handle the file (either 0 or 1). One of the bites in the flag indicates whether the file is encrypted or not.
Evil twins and double app frames
In the case of Confety, attackers intentionally put Bit 0 to 1, even though the file was actually not encrypted, causing decomposition tools to mistakenly interpret the files, analysis tools to go down and think it was unreadable or broken, and conversely engineers to waste time failure.
But that’s not all. Each file input in a zipper archive also includes a compression method identifier (0x000 for no compression, 0x000c for an uncommon compression standard, etc.)
With CONFETY, attackers managed to declare files compressed using 0x000C, which was not true. Since the files cannot decompress correctly, it leads to partial extraction, parsing errors or even crashes, which complicates reverse construction and analysis.
There are other ways Confety tries to hide and maintain persistence. Zlabs said that attackers also use so-called “double app frames” where there is a legitimate app in larger app stores and a malicious one else place.
The app also hides its icon when installed and uses geofencing to make sure certain analysts and researchers can’t get to it.
Confety works by using caramelader SDK to download ads, deliver payloads and maintain communication with attackers-controlled servers. It redirects users to malicious sites, asking for unwanted app installations and triggers persistent spam-like browser messages.
“The threat actors behind Confety are very adaptable and consistently change their targeted advertising network and update their methods to avoid detection,” the researchers warned.
“This latest variant demonstrates their sophistication by specifically manipulating with APK’s zipper structure. This tactic is designed to bypass security checks and complicates markedly reverse technical effort, making detection and analysis more challenging for security professionals.”
Via Bleeping computer
