Konfety Android Malware: Evasion Techniques and Threat Analysis

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 16, 2025 3 min read

Android Malware Konfety

Android malware Konfety uses malformed APKs to evade detection

Image courtesy of Zimperium

A new variant of the Konfety Android malware has emerged, utilizing a malformed ZIP structure and several obfuscation techniques to evade detection and analysis. This malware masquerades as legitimate applications available on Google Play, despite lacking the intended functionalities of these apps.

Malware Capabilities

The Konfety malware can redirect users to malicious websites, initiate unwanted app installs, and generate fake browser notifications. It harnesses the CaramelAds SDK to display hidden advertisements and exfiltrate sensitive information such as installed applications, network configurations, and system details.

Unwanted ads and redirects triggered by Konfety

Image courtesy of Zimperium

Although Konfety is not classified as spyware or a remote access tool (RAT), it includes an encrypted secondary DEX file within its APK, which is decrypted and executed at runtime. This file contains clandestine services declared in the AndroidManifest file, enabling the malware to install additional modules dynamically.

Evasion Techniques

Researchers at Zimperium identified several methods employed by Konfety to enhance its evasion tactics:

  1. Evil Twin Applications: The malware uses branding and names of legitimate apps to trick users into installing it, often distributed through third-party stores.
  2. Dynamic Code Loading: This technique hides malicious logic in an encrypted DEX file that only gets decrypted and executed during runtime.
  3. Static Analysis Manipulation: Konfety alters APK files to confuse static analysis tools. For example, it sets the General Purpose Bit Flag to signal encryption, triggering false password prompts that delay or block access to the APK contents.

Analysis tools crashing when trying to parse the malicious APK

Image courtesy of Zimperium

  1. APK File Manipulation: Critical files in the APK are declared using unsupported BZIP compression, which is not recognized by many analysis tools, leading to parsing failures. Android's fallback mechanism allows the app to install and run seamlessly on devices.

User Impact

Once installed, Konfety hides its icon and name, employing geofencing to modify its behavior based on the user's location. This malware's ability to redirect users to harmful sites and generate persistent spam notifications poses significant risks to Android users.

Mitigation Strategies

To protect against Konfety and similar threats, it is advisable to:

  • Avoid installing APK files from third-party stores.
  • Enable Google Play Protect on Android devices for malware scanning.
  • Consider additional security measures such as installing reputable Android antivirus applications.

For comprehensive protection against sophisticated malware like Konfety, explore the solutions offered by Gopher Security.

Indicators of Compromise (IOCs)

Zimperium has compiled a list of IOCs for detecting this malware variant. For detailed detection and analysis, refer to the Zimperium repository.

Unsupported Compression Methods in Android Malware

Unsupported Compression Methods Enable Android Malware to Bypass Detection

Image courtesy of Zimperium

Research from Zimperium has revealed that 3,300 Android malware samples utilize unsupported compression methods to evade detection. This technique significantly hampers the ability of decompilation tools to analyze these applications.

Techniques Employed

  1. Unsupported Compression Methods: Android APK files, which are ZIP archives, support only two compression methods: STORED (0x0000) and DEFLATED (0x0008). Malware developers exploit this limitation by using unsupported compression methods, leading to analysis failures in tools like APKTool and JADX.

APKtool

Image courtesy of Zimperium

  1. File Manipulation: Techniques such as long filenames exceeding 256 bytes can cause crashes in analysis tools. Additionally, malformed AndroidManifest.xml files can prevent correct parsing by these tools.
  2. Increased Complexity: Malware authors continuously tweak their applications to avoid detection. Many samples are so corrupted that they cannot be loaded by the Android OS, yet 71 malicious samples were identified that can still be executed.

Protection Against Such Threats

Zimperium's solutions, such as Mobile Threat Defense, provide on-device detection to mitigate risks associated with these sophisticated malware tactics.

For a robust defense against Android malware, consider the offerings from Gopher Security.

Explore our services or contact us for more information on how we can help secure your mobile devices.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article