Hackers often exploit the APK packers to hide malicious codes within Android applications. This will make detecting and analyzing malware more difficult for security programs.
This technique increases the likelihood of a successful breach while ensuring that the malware remains persistent and hidden on the compromised devices.
Cybersecurity analysts at Plaoalto Networks’s Unit42 recently identified hackers using the BadPack APK packer to hide the malware file structure.
BadPack APK Malware Wired Trick
BadPack APK files are a developing threat to cybersecurity, they are Android applications that have been tweaked with their ZIP headers.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
These files are difficult to analyze using reverse engineering tools, and banking Trojans, including BianLian and Cerberus, often employ them.
The crucial file in APKs typically targeted is AndroidManifest.xml, which makes static analysis difficult.
The advanced WildFire found around 9200 BadPack samples between June 2023 and June 2024, indicating the need for a better understanding of this advancing malware technique as well as detection techniques.
APK files are compressed into ZIP archives with local and central directory file headers. These headers contain crucial information about the archive’s structure and content.
The Unit42 report states that to exploit this format, BadPack malware authors change header fields on purpose, consequently creating mismatches between local and central directory headers.
This means making it hard for one to analyze or extract APK contents, which facilitates the running of a malicious app on an Android device.
Besides this, one must know how these header structures are built and manipulated in order to detect BadPack malware.
BadPack malware tampers with APK headers, consequently creating differences between local and central directory headers. This technique exploits the way different analysis tools and Android run-time process the APKs.
In this case, Apktool and Jadx extract ordinary files once they have been tampered with, but devices using Android can use them because the runtime checks only central directory headers.
Compressing mismatched methods or sizes is employed by writers of such malware as a way of achieving this objective.
Understanding and reversing these manipulations is essential for successfully analyzing BadPack samples, as experiments on AndroidManifest.xml extraction and installation into real Android devices have proven.
BadPack is among the malware that tests traditional analysis tools like JAR, Unzip, and Apksigner as a result of the string compression and manipulated headers.
The open-source apkInspector tool is capable of successfully extracting and decoding AndroidManifest.xml files from BadPack, unlike most other tools.
This developing challenge shows the need for advanced analysis techniques and tools. We can achieve this by avoiding the installation of such apps from untrusted sources or any other third-party source and declining applications that ask for strange permissions.
IoCs
Here below are the SHA256 hashes of BadPack malware samples:-
- 0003445778b525bcb9d86b1651af6760da7a8f54a1d001c355a5d3ad915c94cb
- 015bd2e799049f5e474b80cbbdcd592ce4e2dfbfae183bada86a9b6ec103e25e
- 131135a7c911bd45db8801ca336fc051246280c90ae5dafc33e68499d8514761
- 90c41e52f5ac57b8bd056313063acadc753d44fb97c45c2dc58d4972fe9f9f21
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.