Konfety Android Malware on Google Play Uses ZIP Manipulation to Imitate Legitimate Apps

Sophisticated Android malware variant exploits ZIP-level manipulation and dynamic code loading to evade detection while conducting ad fraud operations targeting mobile users globally.

Zimperium’s zLabs security research team has identified a new and highly sophisticated variant of the Konfety Android malware that employs advanced evasion techniques to bypass security analysis tools and conduct fraudulent advertising operations.

This latest iteration represents a significant evolution in mobile malware capabilities, demonstrating how threat actors are continuously adapting their tactics to circumvent detection mechanisms.

Konfety Android Malware on Google Play

The Konfety malware family first emerged as part of a massive mobile advertising fraud campaign that was initially disrupted by security researchers in 2024.

The original operation involved more than 250 decoy applications on Google Play Store, each paired with malicious “evil twin” counterparts distributed through third-party channels.

At its peak, the campaign generated an astounding 10 billion fraudulent ad requests per day, highlighting the scale and financial impact of this sophisticated operation.

The malware derives its name from the Russian word for “candy,” referencing its abuse of the CaramelAds mobile advertising software development kit (SDK).

The threat actors behind Konfety demonstrated remarkable innovation by creating a dual-app ecosystem where legitimate-looking decoy applications on official app stores provided cover for malicious variants distributed through alternative channels.

New Evasion Techniques: ZIP-Level Manipulation

The latest Konfety variant represents a significant advancement in anti-analysis techniques, specifically targeting the tools used by security researchers to examine Android applications.

The malware employs several sophisticated ZIP-level manipulation tactics designed to break common analysis tools and complicate reverse engineering efforts.

One of the most innovative evasion techniques involves manipulating the General Purpose Flag within the APK’s ZIP structure.

The malware sets bit 00 of the General Purpose Flags to indicate that the APK is encrypted, even though the file is not actually encrypted. This false flag causes analysis tools to incorrectly identify the APK as password-protected and subsequently request a password for decompression.

This technique effectively blocks security tools from extracting files by triggering password prompts, preventing deeper inspection of the malware’s code and functionality. The manipulation operates at a fundamental level, exploiting how ZIP parsers handle file headers and metadata.

The second major evasion technique involves declaring an unsupported compression method in the AndroidManifest.xml file. Specifically, the malware declares the BZIP compression method (0x000C) for critical files, despite not actually using this compression algorithm.

This discrepancy causes analysis tools like APKTool and JADX to crash entirely when attempting to process the file, as they encounter an unexpected compression method they cannot handle.

The beauty of this approach lies in Android’s resilient handling of such anomalies. When the Android operating system encounters an unsupported compression type, it quietly falls back to treating the file as if it were simply stored, allowing the installation process to continue without disruption. This ensures system stability while simultaneously defeating security analysis tools.

Dynamic Code Loading and Obfuscation

Beyond ZIP-level manipulation, the new Konfety variant employs sophisticated dynamic code loading techniques to conceal its malicious functionality. The malware includes multiple layers of obfuscation specifically designed to hinder both static and dynamic analysis approaches.

The malware utilizes dynamic code loading by embedding additional executable code within encrypted assets bundled inside the APK. This encrypted file contains a secondary DEX (Dalvik Executable) file that remains completely hidden during standard APK inspection procedures.

The encryption ensures that the malicious payload is not immediately visible to security researchers or automated analysis systems.

Upon execution, the application decrypts and loads this hidden DEX file into memory, enabling it to execute additional malicious logic that was completely concealed during installation.

This runtime decryption and loading process allows the malware to maintain a benign appearance while harboring sophisticated attack capabilities.

The hidden DEX file contains several application components, including activities, services, and receivers that are declared in the AndroidManifest.xml but are conspicuously missing from the primary APK codebase.

This deliberate inconsistency serves as both an evasion technique and a detection trigger for security researchers who notice the discrepancy between declared and implemented components.

Most significantly, the concealed code includes a specific service related to the CaramelAds SDK, which previous Konfety campaigns heavily exploited for large-scale ad fraud operations.

While the CaramelAds SDK is not inherently malicious, threat actors have consistently exploited it to silently fetch and render advertisements, sideload additional payloads, and maintain communication with remote command-and-control servers.

The Konfety malware maintains a sophisticated command-and-control infrastructure that has evolved significantly since the original campaign. Analysis of the malware’s network communications reveals a multi-stage process designed to evade detection and maximize fraudulent revenue generation.

Upon installation, the malware presents users with a User Agreement pop-up, a characteristic feature that links the current variant to earlier Konfety campaigns. After users accept this agreement, the malware establishes contact with its command-and-control infrastructure through a carefully orchestrated sequence of network requests.

The initial communication begins with the malware opening a browser instance and connecting to hxxp://push.razkondronging.com/register?uid=XXXXXX. This domain represents the current iteration of the campaign’s command-and-control infrastructure, replacing previously reported endpoints. The connection then redirects through several intermediary websites before reaching its final destination.

One of the most effective stealth techniques employed by the malware involves hiding its application icon and failing to display any recognizable app name.

This approach makes it extremely difficult for users to identify and remove the malicious application through conventional means, as it does not appear in typical application lists or launchers.

The malware achieves this concealment by manipulating Android’s application management systems, ensuring that while the application remains functional and continues executing its malicious payload, it maintains an invisible presence on the infected device.

By monitoring application behavior patterns, network communications, and system interactions, behavioral detection systems can identify malicious activity regardless of code obfuscation or file format manipulation.

The key to effective behavioral detection lies in understanding the malware’s operational patterns, including its network communication sequences, file system interactions, and attempts to establish persistence.

The latest Konfety Android malware variant represents a significant advancement in mobile threat sophistication, demonstrating how threat actors continuously evolve their techniques to circumvent security measures.

The malware’s innovative use of ZIP-level manipulation, dynamic code loading, and stealth mechanisms creates a formidable challenge for traditional security analysis approaches.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now