BadPack is an APK that is tampered with ZIP headers to hinder static analysis of AndroidManifest.xml, complicating malware analysis. The article reviews the BadPack technique across samples like BianLian, Cerberus and TeaBot, discusses tool limitations (Apktool/Jadx) and Android runtime behavior, and notes protection from Google Play Protect. #BadPack #BianLian #Cerberus #TeaBot #GooglePlayProtect
Keypoints
- BadPack is an APK packaged with tampered ZIP headers to obstruct content extraction and static analysis.
- Analysis tools (e.g., Apktool, Jadx) often fail to extract AndroidManifest.xml from BadPack APKs, hindering reverse engineering.
- Android devices may still execute BadPack APKs by relying on the central directory header, despite mismatches in local header values.
- The researchers detected nearly 9,200 BadPack samples in Advanced WildFire telemetry from June 2023 to June 2024, indicating a notable threat.
- Attackers can manipulate ZIP headers in multiple ways (three methods described) to confuse analyzers while enabling normal device execution.
- apkInspector can extract and decode AndroidManifest.xml from BadPack APKs, unlike some mainstream tools, illustrating a path around header tampering.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files or Information β BadPack tampering with ZIP headers to obstruct static analysis. βMalware authors can alter fields within these headers to prevent analysts from extracting an APK fileβs content.β
Indicators of Compromise
- [Hash] BadPack malware hashes β 0003445778b525bcb9d86b1651af6760da7a8f54a1d001c355a5d3ad915c94cb, 015bd2e799049f5e474b80cbbdcd592ce4e2dfbfae183bada86a9b6ec103e25e and 2 more hashes
Read more: https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/