Konfety Returns: Classic Mobile Threat with New Evasion Techniques

Executive Summary

As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new, sophisticated variant of a well-known malware previously reported by Human. This Android-targeted malware, named Konfety, employs an “evil-twin” method to conduct fraudulent activities. Notably, two distinct variants of this application share the same Package Name, a tactic designed to enhance its evasiveness and impact:

• Dual-App Deception: Uses the same package name for both a benign app (on official stores) and a malicious version distributed via third-party sources.
• ZIP-Level Evasion: Tampered APK structure (e.g., unsupported compression, fake encryption flags) breaks common analysis tools and complicates reverse engineering.
• Dynamic Code Loading: Conceals key functionality in encrypted assets that are only decrypted and executed at runtime.
• Stealth Techniques: Hides app icon, mimics legitimate apps, and applies geofencing to adjust behavior by region.
• Ad Fraud Infrastructure: Leverages CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers.
• User Impact: Redirects users to malicious websites, prompts unwanted app installs, and triggers persistent spam-like browser notifications.

The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection. This latest variant demonstrates their sophistication by specifically tampering with the APK's ZIP structure. This tactic is designed to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.

Evasion via Malformed ZIP Packaging

Malware developers are constantly refining their tactics. Beyond simply adding new functionalities, they're adopting increasingly advanced techniques to evade detection and hinder reverse engineering efforts. The newly discovered variants, for instance, implement the following sophisticated tricks:

• General Purpose Flag Enabled: The APK contains the bit 00 of the General Purpose Flags enabled. This causes some tools to incorrectly identify the APK (ZIP) as encrypted and subsequently request a password for decompression.
• Unsupported Compression Method (BZIP - 0x000C): The AndroidManifest.xml of these samples declared the BZIP compression method. However, the file is not actually compressed using this algorithm. This discrepancy resulted in partial decompression for decompression tools and invalid file parsing for analysis tools.

These ZIP manipulations operate at a lower level, specifically targeting the tools used to analyze the APK in various ways. For instance, the initial technique prevents these tools from extracting files by triggering a password prompt (Fig.2), effectively blocking access.

In other instances, these manipulations cause analysis tools like APKTool or JADX to crash entirely, preventing any deeper inspection, as illustrated in Fig.3.

If it encounters an unsupported compression type, such as BZIP, Android quietly falls back to treating the file as if it were simply stored. This allows the installation process to continue without crashing, ensuring system stability even when encountering unusual file formats.

The Konfety Malware Analysis

Similar to earlier variants, these samples also incorporate multiple layers of obfuscation specifically designed to hinder detection and complicate both static and dynamic analysis.

One of the key techniques employed is dynamic code loading, where additional executable code is loaded at runtime from an encrypted asset bundled within the APK (Fig.4). This encrypted file contains a secondary DEX (Dalvik Executable) file, which is not immediately visible during a standard inspection of the APK.

This strategy allows the malware to conceal critical functionality during the initial scan or reverse engineering attempts. Upon execution, the application decrypts and loads this DEX file into memory, enabling it to execute additional malicious logic that is completely hidden during installation and superficial analysis.

The hidden DEX file contains several of the app components (activities, services, and receivers) that were declared in the AndroidManifest.xml but missing from the primary APK codebase. This inconsistency immediately raised a red flag during our analysis and prompted deeper investigation.

The presence of these hidden components allowed us to conclusively link the sample to the Konfety malware family. Inside the concealed code was a specific service related to the CaramelAds SDK, which previous Konfety campaigns heavily abused for large-scale ad fraud operations. While this SDK isn't inherently malicious, threat actors are known to exploit it to silently fetch and render ads, sideload additional payloads, and communicate with remote servers, all without the user's knowledge. This multi-layered obfuscation approach, combining encrypted assets, runtime code injection, and deceptive manifest declarations, demonstrates the evolving sophistication of the Konfety operation and its continuous efforts to evade analysis and bypass detection mechanisms.

Further indicators linking the current malware to the earlier campaign discovered by Human include the appearance of a User Agreement popup (Fig.5) and the presence of a specific regular expression within the code. This expression searches for the pattern @injseq, which was also used in previous versions (Fig.6). 

Decoy Application

Further confirmation came with the discovery of several decoy applications on the Play Store that shared the same exact package name as the malicious counterpart, although these decoys are not linked to the campaign itself. The malware simply mimics the legitimate app’s package name but doesn’t replicate its functionality. In fact, it hides its icon and doesn’t display any app name, emphasizing its stealthy intent (Fig.7).

Network Traffic Analysis

Through dynamic analysis, we successfully intercepted the network communications between the malware and its server. Initially, after the user accepts the User Agreement, the malware opens a browser instance, establishing a connection to hxxp://push.razkondronging.com/register?uid=XXXXXX. This then redirects through several other websites. The final destination website employs deceptive tactics to trick the victim into either installing additional applications from outside official App Stores or accepting a browser notification prompt. Once approved, leads to a flood of persistent and unwanted notifications (Fig. 8).

Zimperium vs Konfety Malware

Zimperium's on-device Mobile Threat Defense (MTD) solution and zDefend customers are fully protected against the Konfety malware. Our advanced detection capabilities identify and mitigate the new evasion techniques employed by this threat. By continuously monitoring and adapting to evolving threat landscapes, Zimperium ensures comprehensive protection for mobile devices against sophisticated malware like Konfety.

MITRE ATT&CK Techniques

To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference. 

Indicators of compromise (IOCs)

The indicators of compromise of this campaign can be found in this repository.