The Konfety Android malware uses advanced evasion techniques such as ZIP-level tampering, dynamic code loading, and stealth features to conduct large-scale ad fraud and distribute malicious payloads. It mimics legitimate apps by sharing package names and hides its presence, while redirecting users to harmful websites and triggering persistent unwanted notifications. #Konfety #CaramelAds
Keypoints
- Konfety employs a dual-app deception by sharing the same package name between benign and malicious variants to evade detection.
- The malware uses ZIP-level evasion techniques such as enabling General Purpose Flags and unsupported BZIP compression to disrupt analysis tools.
- Dynamic code loading with encrypted secondary DEX files hides core malicious functionality until runtime.
- Stealth tactics include hiding the app icon, geofencing based on user location, and mimicking legitimate apps to avoid suspicion.
- Konfety abuses the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers.
- The malware redirects users to fraudulent websites prompting unwanted app installs and persistent spam-like browser notifications.
- Zimperium’s Mobile Threat Defense solutions effectively detect and mitigate Konfety’s advanced evasion methods.
MITRE Techniques
- [T1624.001] Event Triggered Execution: Broadcast Receivers – Creates broadcast receivers to receive network events.
- [T1655.001] Masquerading: Match Legitimate Name or Location – Uses package names of legitimate decoy apps from the Google Play Store.
- [T1627.001] Geofencing – Redirects victims detected as from EU countries to suspicious sites, others to google.com.
- [T1628.001] Suppress Application Icon – Hides the app icon from the user.
- [T1406.002] Obfuscated Files or Information: Software Packing – Uses dynamic class loading and obfuscation to conceal code.
- [T1420] File and Directory Discovery – Searches for the pattern “@injseq” within files.
- [T1418] Software Discovery – Collects installed application package lists to check for specific apps.
- [T1422] System Network Configuration Discovery – Collects network information from the device.
- [T1426] System Information Discovery – Gathers basic device information.
- [T1481.001] Dead Drop Resolver – Connects to websites that redirect victims to multiple addresses.
Indicators of Compromise
- [Domain] Command and control server domain involved in redirects – push.razkondronging.com
- [File Names] Package name shared by both benign and malicious variants used as decoys.
- [Network] URLs involved in redirection and payload delivery – multiple redirect websites after initial contact.
- [Code Patterns] Regular expression pattern searched by malware – “@injseq”.
Read more: https://zimperium.com/blog/konfety-returns-classic-mobile-threat-with-new-evasion-techniques