Full Report
A new variant of the Konfety Android malware emerged with a malformed ZIP structure along with other obfuscation methods that allow it to evade analysis and detection. [...]
Analysis Summary
# Tool/Technique: Konfety
## Overview
Konfety is an Android malware family that utilizes specific file manipulation techniques within its APK structure to evade static analysis tools. Its primary goal appears to be achieving successful installation and execution on Android devices by confusing malware analysis environments.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Evasion of static analysis tools using malformed APKs, icon/name hiding post-installation, and geofencing for dynamic behavioral changes.
- First Seen: Information not explicitly provided in the context, but recent analysis suggests ongoing evolution (referenced alongside April 2024 SoumniBot detection).
## MITRE ATT&CK Mapping
*Note: Since the primary focus is evasion during packaging/installation, the mapping focuses on techniques related to execution and defense evasion.*
- TA0005 - Defense Evasion
- T1480 - Deception
- T1480.001 - Image Evasion (Related to file manipulation for evasion)
- TA0002 - Execution
- T1204 - User Execution (Implied by initial installation via APK)
## Functionality
### Core Capabilities
- **Malformed APK Delivery:** Declaring unsupported compression methods (BZIP compression, 0x000C) in critical APK files.
- **Analysis Evasion:** Causing analysis tools (like APKTool and JADX) to crash or fail parsing due to unsupported compression, while benign Android OS handles the installation gracefully by falling back to default processing.
- **Persistence/Hiding:** Hiding its application icon and name after successful installation.
### Advanced Features
- **Geofencing Behavior:** Modifying its post-installation behavior based on the victim's geographical region.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified, but relates to APK file structure manipulation]
- Registry Keys: [Not applicable to Android ecosystem in this context]
- Network Indicators: [C2 or network activity not detailed, focus is evasion phase]
- Behavioral Indicators: Crashing analysis tools upon parsing; hiding app icon post-install.
## Associated Threat Actors
- Association not explicitly named, but the technique is shared with other campaigns (e.g., SoumniBot).
## Detection Methods
- Signature-based detection: Likely ineffective against the initial installation package due to obfuscation technique.
- Behavioral detection: Useful for detecting post-installation behavior such as icon removal or geofencing checks.
- YARA rules: Potentially useful for rules targeting the presence of BZIP compression declarations (0x000C) in specific, usually compressed, sections of the APK structure.
## Mitigation Strategies
- Avoid installing APK files from third-party Android app stores and only trust software from known publishers.
- Utilize advanced static analysis tools capable of handling or correctly reporting errors on malformed/non-standard compressed structures, or employ emulation environments that mimic dynamic Android behavior rather than relying solely on static parsing tools.
## Related Tools/Techniques
- **SoumniBot Malware:** Previously observed using compression-based obfuscation, declaring invalid compression methods, fake file sizes, and large namespace strings to confuse analysis tools.