Konfety Malware Evolves: New Android Variant Uses Malformed ZIPs & Encrypted Code to Evade Detection

The latest iteration of the Android malware known as Konfety has grown even more insidious. Researchers at Zimperium zLabs have uncovered a refined variant that employs unconventional ZIP archive structures and encrypted, runtime-loaded code. These techniques enable the malware to skillfully evade automated analysis tools and remain undetected.

At the heart of this evolution lies a cunning manipulation of the ZIP archive: within the APK file, a specific flag is set that causes many security tools to mistakenly identify the archive as encrypted. Some utilities prompt for a password that doesn’t exist; others fail outright to parse the file’s structure.

Further confusion is sown by specifying an invalid compression method. The AndroidManifest.xml claims the use of BZIP compression, yet in reality, no such algorithm is applied. This discrepancy leads to partial extraction failures or outright crashes during static analysis, significantly complicating the examination of infected samples.

Despite the malformed ZIP archive, the Android operating system handles such cases gracefully, installing the malicious application without triggering any alerts. Meanwhile, specialized tools like APKTool and JADX either crash or request an imaginary password, allowing the malware to masquerade as an ordinary application.

The latest version of Konfety also incorporates dynamic loading of encrypted executable code during runtime. This code remains hidden during static APK inspection. Buried within the app’s resources is an encrypted secondary DEX file, which is only decrypted and loaded after the application is launched. It replaces components declared in the manifest that were previously missing—an action that raises red flags for seasoned analysts.

Additionally, the malware reuses techniques observed in earlier campaigns. Notably, it leverages the CaramelAds SDK, infamous for its role in advertising fraud. This component enables the covert display of ads, the surreptitious installation of additional modules, and clandestine communication with remote servers—all without the user’s knowledge. Analysts also noted identical regular expressions and a recurring pop-up agreement screen, pointing to direct lineage from previous attack frameworks.

To disguise itself, Konfety mimics legitimate apps from Google Play by replicating their package names. Internally, however, it offers no actual functionality, often concealing its own name and icon. Upon launch, the user is prompted to accept a vague agreement, after which the browser is opened and redirected through a series of domains. The ultimate aim is to trick the victim into installing unwanted apps or consenting to intrusive notifications.

The report provides clear indicators of compromise, alongside the tactics and techniques aligned with the MITRE ATT\&CK framework employed in this campaign. This new version of Konfety vividly illustrates how seemingly rudimentary tactics—like ZIP manipulation and deferred code loading—can be remarkably effective at evading even sophisticated threat detection systems.