A new wave of malicious Android applications impersonating a well-known Korean delivery service has emerged, featuring advanced obfuscation techniques powered by artificial intelligence.
These apps work to bypass traditional antivirus detection methods while extracting sensitive user information.
The threat actors behind this campaign have demonstrated sophisticated knowledge of mobile security vulnerabilities, combining multiple evasion strategies to maintain their operation undetected.
The malware campaign relies on a clever delivery mechanism that disguises itself as a legitimate package tracking application.
When users grant the necessary permissions, the app displays an interface resembling the real delivery service by connecting to authentic tracking websites using randomly generated tracking numbers.
.webp "AI-Based Obfuscated Malicious Apps Evading AV Detection to Deploy Malicious Payload 2")
This social engineering approach builds trust while the application performs malicious activities in the background, making it particularly dangerous for unsuspecting victims.
ASEC security analysts identified this malware after detecting repeated distribution patterns across various channels.
The investigation revealed that threat actors utilized AI-enhanced obfuscation techniques to disguise the app’s functionality and make reverse engineering significantly more difficult for security researchers.
Detection Evasion Through Intelligent Obfuscation
The technical sophistication of these applications lies in their obfuscation implementation. The developers applied AI-powered ProGuard obfuscation, converting all class names, function identifiers, and variable names into meaningless eight-character Korean text strings.
This approach differs from standard obfuscation because the random Korean characters make pattern-based detection substantially harder for automated security tools.
.webp "AI-Based Obfuscated Malicious Apps Evading AV Detection to Deploy Malicious Payload 4")
The resource names remained unmodified, indicating a selective obfuscation strategy designed specifically to hide the app’s core functionality while maintaining enough structural integrity for it to operate normally.
Security researchers discovered that after collecting information from infected devices, the malware exfiltrates data through breached legitimate websites repurposed as command-and-control servers.
The threat actors hardcoded C2 server addresses within blogs hosted on Korean portals, loading them dynamically when the application launches.
This technique creates an additional detection barrier because the actual malicious servers appear as benign web traffic to network monitoring systems, effectively hiding the data theft operation from security infrastructure.
The identified samples included five confirmed MD5 hashes, with associated URLs pointing to compromised Korean domains used for data exfiltration.
Security professionals should prioritize detecting and blocking these samples across their networks while implementing stricter application permission controls for delivery service apps.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
