New Konfety Malware Variant Evades Detection by Manipulating APKs and Dynamic Code
Cybersecurity researchers have discovered a new, sophisticated variant of a known Android malware referred to as Konfety that leverages the evil twin technique to enable ad fraud.
The sneaky approach essentially involves a scenario wherein two variants of an application share the same package name: A benign “decoy” app that’s hosted on the Google Play Store and its evil twin, which is distributed via third-party sources.
It’s worth pointing out that the decoy apps don’t have to be necessarily published by threat actors themselves and could be legitimate. The only caveat is that the malicious apps share the exact same package names as their real counterparts already available on the Play Store.
“The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection,” Zimperium zLabs researcher Fernando Ortega said. “This latest variant demonstrates their sophistication by specifically tampering with the APK’s ZIP structure.”
By using malformed APKs, the tactic allows threat actors to sidestep detection and challenge reverse engineering efforts. Besides dynamically loading the main DEX (Dalvik Executable) payload at runtime, the newly discovered versions enable the general-purpose bit flag by setting it to “Bit 0,” signaling to the system that the file is encrypted.
This behavior, in turn, triggers a false password prompt when attempting to inspect the Android package, thereby blocking access and complicating attempts to analyze its contents.
The second technique entails falsely declaring the use of BZIP compression method in the app’s manifest XML file (“AndroidManifest.xml”), causing analysis tools like APKTool and JADX to crash due to a parsing failure. A similar compression-based defense evasion technique was previously highlighted by Kaspersky in another Android malware called SoumniBot.
The use of dynamic code loading to execute the primary payload affords added stealth during initial scans or reverse engineering, Zimperium noted. During execution, the DEX payload is decrypted and loaded directly into memory without attracting any red flags.
“This multi-layered obfuscation approach, combining encrypted assets, runtime code injection, and deceptive manifest declarations, demonstrates the evolving sophistication of the Konfety operation and its continuous efforts to evade analysis and bypass detection mechanisms,” Ortega said.
Like the previous iteration reported by HUMAN last year, Konfety abuses the CaramelAds software development kit (SDK) to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers.
It comes with capabilities to redirect users to malicious websites, prompt unwanted app installs, and trigger persistent spam-like browser notifications. Furthermore, the malware hides its app icon and uses geofencing to alter its functionality based on the victim’s region.
The development comes as ANY.RUN detailed a Chinese Android packer tool known as Ducex that’s mainly designed to conceal embedded payloads like Triada within fake Telegram apps.
“The packer employs serious obfuscation through function encryption using a modified RC4 algorithm with added shuffling,” ANY.RUN researcher Alina Markova said. “Ducex creates major roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It also employs self-debugging using fork and ptrace to block external tracing.”
On top of that, Ducex is designed to detect the presence of popular analysis tools such as Frida, Xposed, and Substrate, and if present, terminate itself.
The findings also follow a new study published by a team of researchers from TU Wien and the University of Bayreuth about a novel technique dubbed TapTrap that can be weaponized by a malicious app to covertly bypass Android’s permission system and gain access to sensitive data or execute destructive actions.
The attack, in a nutshell, hijacks user interactions on Android devices by overlaying animations or games on a user’s screen, while surreptitiously launching user interface elements underneath that trick users into performing undesirable actions, such as installing malware or granting the app intrusive permissions.
“Normally, Android shows an animation when the screen changes, such as the new screen sliding or fading in,” researchers Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer said. “However, the app can tell the system that a custom animation should be used instead that is long-running and makes the new screen fully transparent, keeping it hidden from you.”
“Any taps you make during this animation go to the hidden screen, not the visible app. The app can then use this to lure you into tapping on specific areas of the screen that correspond to sensitive actions on the hidden screen, allowing it to perform actions without your knowledge.”
In a hypothetical attack scenario, a threat actor-released game installed by the victim can secretly open a web browser session and dupe them into granting camera permissions to a malicious website.
That said, TapTrap’s impact extends beyond the Android ecosystem, opening the door to tapjacking and web clickjacking attacks. The issue has been addressed in GrapheneOS, Chrome 135 (CVE-2025-3067), and Firefox 136 (CVE-2025-1939). Android 16 continues to remain susceptible to the attack.
