In that case, SoumniBot declared an invalid compression method in AndroidManifest.xml, declared a fake file size and data overlay, and confused analysis tools with very large namespace strings. A new variant of the Konfety Android malware emerged with a malformed ZIP structure along with other obfuscation methods that allow it to evade analysis and detection. Although Konfety isn't a spyware or RAT tool, it includes an encrypted secondary DEX file inside the APK, which is decrypted and loaded at runtime, containing hidden services declared in the AndroidManifest file. Researchers at mobile security platform Zimperium discovered and analyzed the latest Konfety variant and report that the malware uses several methods to obfuscate its real nature and activity. The dynamic code loading, where the malicious logic is hidden in an encrypted DEX file that loads at runtime, is another effective obfuscation and evasion mechanism that Konfety employs. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Secondly, critical files in the APK are declared using BZIP compression (0x000C), which isn't supported by analysis tools like APKTool and JADX, resulting in a parsing failure. These marketplaces are often where users look for "free" variants of premium apps because they want to avoid Google tracking, have an Android device that is no longer supported, or don't have access to Google services. Meanwhile, Android ignores the declared method and falls back to default processing to maintain stability, allowing the malicious app to install and run on the device without issue. Compression-based obfuscation has been observed in the past in Android malware, as highlighted in a Kaspersky report from April 2024 on SoumniBot malware. Another uncommon anti-analysis strategy in Konfety is to manipulate the APK files in a way that confuses or breaks static analysis and reverse engineering tools. The capabilities of the malware include redirecting users to malicious sites, pushing unwanted app installs, and fake browser notifications. It is typically recommended to avoid installing APK files from third-party Android app stores and only trust software from publishers you know.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 15 Jul 2025 13:15:16 +0000