Evolving Threat: Konfety Android Malware Employs ZIP Manipulation and Dynamic Loading

TL;DR

The Konfety Android malware has evolved to use sophisticated ZIP manipulation and dynamic loading techniques to evade detection. This variant employs malformed ZIP files, obfuscation, and fake apps to deceive users and security tools. The malware is linked to previous campaigns involving ad fraud and silent payload installations.

Evolving Threat: Konfety Android Malware Employs ZIP Manipulation and Dynamic Loading

Zimperium zLabs researchers have identified a new, sophisticated variant of the Konfety Android malware. This variant employs an “evil-twin” tactic and duplicate package names to avoid detection, posing a significant threat to mobile security.

Advanced Evasion Techniques

The new Konfety malware variants use malformed ZIP files to evade analysis tools. By enabling a misleading flag and declaring an unsupported BZIP compression, the malware confuses security tools into incorrectly identifying the APK as encrypted. This discrepancy results in partial decompression and invalid file parsing, making it difficult for tools to analyze the malware effectively¹.

The APK contains the bit 00 of the General Purpose Flags enabled. This causes some tools to incorrectly identify the APK (ZIP) as encrypted and subsequently request a password for decompression.

Low-Level ZIP Tricks and Obfuscation

Konfety employs low-level ZIP tricks to block security tools from analyzing its code. These tricks can trigger fake password prompts or crash tools like APKTool and JADX. However, Android handles these unusual files gracefully, quietly installing the app by treating unsupported formats as normal files.

The latest Konfety variants also use advanced obfuscation techniques to avoid detection. They load hidden, encrypted code at runtime, making the code invisible during standard scans. This hidden code, contained in a secondary DEX file, includes key components declared in the app’s manifest but missing from the main code, raising red flags¹.

One of the key techniques employed is dynamic code loading, where additional executable code is loaded at runtime from an encrypted asset bundled within the APK.

Links to Previous Campaigns

These components link back to Konfety’s past use of the CaramelAds SDK for ad fraud. This allows the malware to silently run ads, install payloads, and communicate with remote servers without the user’s knowledge. Further indicators linking the current malware to the earlier campaign include the appearance of a User Agreement popup and the presence of a specific regular expression within the code¹.

Disguising as Legitimate Apps

Konfety disguises itself as a legitimate Google Play app but delivers none of its claimed features. It uses the same package name as legitimate apps on the Play Store but lacks their functionality, hiding its icon and app name to remain stealthy. Upon launch, it tricks users into accepting a user agreement, then opens a browser to connect with a remote server. This redirects through several sites, ultimately leading victims to install unauthorized apps or enable intrusive browser notifications¹.

Indicators of Compromise

The report includes indicators of compromise for this campaign, along with the MITRE Tactics and Techniques².

Additional Resources

For further insights, check:

• Zimperium Blog
• GitHub IOC

References

1. Zimperium zLabs (2025). “Konfety Returns: Classic Mobile Threat with New Evasion Techniques”. Zimperium. Retrieved 2025-07-15. ↩︎ ↩︎² ↩︎³ ↩︎⁴

2. Zimperium zLabs (2025). “Indicators of Compromise for Konfety Malware”. GitHub. Retrieved 2025-07-15. ↩︎