A new variant of the Konfety Android malware emerged with a malformed ZIP structure along with other obfuscation methods that allow it to evade analysis and detection.
Konfety poses as a legitimate app, mimicking innocuous products available on Google Play, but features none of the promised functionality.
The capabilities of the malware include redirecting users to malicious sites, pushing unwanted app installs, and fake browser notifications.
Instead, it fetches and renders hidden ads using the CaramelAds SDK and exfiltrates information such as installed apps, network configuration, and system information.
Unwanted ads and redirects triggered by Konfety
Source: Zimperium
Although Konfety isn't a spyware or RAT tool, it includes an encrypted secondary DEX file inside the APK, which is decrypted and loaded at runtime, containing hidden services declared in the AndroidManifest file.
This leaves the door open for installing additional modules dynamically, thus allowing the delivery of more dangerous capabilities on current infections.
Evasion tactics
Researchers at mobile security platform Zimperium discovered and analyzed the latest Konfety variant and report that the malware uses several methods to obfuscate its real nature and activity.
... continue reading