Notorious Android malware Konfety is back and easily bypasses security tools.
According to TechRadar, security researchers have just warned about a new, extremely sophisticated variant of the notorious Android malware Konfety. This variant uses a cunning technique by deliberately "distorting" the structure of its own installation file (APK) to hide itself, making it almost impossible for security tools to analyze and detect.
Notorious Android malware makes a sophisticated comeback
According to a report from security firm zLabs, the attackers behind Konfety have found a way to fool analysis programs using extremely clever methods.
First, they intentionally turn on a digital "flag" inside the installation file, indicating that the file is encrypted when in fact it is not. This causes security tools to freeze, report errors, or misinterpret the file when trying to read it, creating a perfect scam picture.
Not stopping there, they continue to declare that the file is compressed with an uncommon compression standard. This technique once again causes the decompression and analysis process of antivirus software to fail, unable to "see" the malicious nature inside. Experts say these tricks make reverse engineering the source code for research more complicated and difficult than ever.
In addition to interfering with APK files, Konfety also applies many other tactics to survive and attack users. Notably, the "dual application" scam, when they put a seemingly legitimate version of the application on major app stores, but distribute another malicious version on external sources.
Once installed, the malicious app automatically hides its icon and uses geofencing to avoid detection by security researchers in certain regions.
Once successfully infiltrated, Konfety uses an advertising toolkit (CaramelAds SDK) to repeatedly redirect users to fraudulent websites, automatically display unwanted Android app installation requests, and trigger persistent spam notifications in the browser.
The researchers concluded: "This latest variant demonstrates the sophistication of the attackers. This trick is designed to bypass security checks, making detection and analysis more difficult for experts."
