Recently, a new malware called Konfety was discovered by security researchers, which attracted the attention of the cybersecurity community. It is a sophisticated variant of Android malware, using sophisticated concealment tactics to avoid detection and prevention by common security tools.
1752822471458.png
Konfety’s way of operating is not simply fraudulent advertising but can also pose a major danger to users and businesses if no timely precautions are taken.
Konfety’s sophisticated tactics
Konfety operates under the tactic of “evil twin”, i.e., using fake apps to trick users. This malware will disguise itself as legitimate apps on Google Play, but in reality it will hide malicious code. When installed, Konfety can perform the following actions:
  • Redirect users to harmful websites.
  • Install unwanted, annoying apps.
  • Hide malicious ads via the CaramelAds SDK.
  • Collect personal data, including information about installed applications, system configuration, and geographic location.
1752822486475.png
Methods of evasion of discovery
Konfety’s speciality lies in his extremely sophisticated strategy of avoiding analysis. To avoid detection, Konfety uses several sophisticated techniques such as:
  1. APK Format Customization: Konfety changed the AP K file structure and used the “General Purpose Bit” flag to trick analytic tool. This makes it difficult for tools like APKTool and JADX to extract and analyze malicious code.
  2. Non-standard BZIP compression: Konfety’s APK file uses an uncommon compression format, causing analysis tools to crash when attempting to decode.
  3. Hide app icons: Once installed, Konfety hides the app icon on the home screen, which helps it avoid user attention and reduce the likelihood of being removed.
  4. Geofencing: Konfety can change its behavior depending on the location of the user, avoiding detection in countries with strict application censorship systems.
Attack and distribution methods
Unlike traditional malicious codes, Konfety does not appear on the Google Play Store but is usually distributed through third-party app stores or forges popular apps such as browsers, garbage disposals, free VPNs, etc. Users can easily be tricked into downloading these apps without any knowledge of the malicious code inside.
Risks and effects
Although Konfety has not currently caused serious widespread damage, this software may pave the way for further attacks in the future. Potential risks from Konfety include:
  • System data theft: Includes personal information and sensitive user information.
  • Corporate impact: If the malicious code device has access to internal systems or important data, it can cause major damage.
  • Spreading spyware or data encryption tools: Konfety can be used as a platform for downloading spyware or dat encryption tools, thereby demanding ransom.
1752822515273.png
How to avoid Konfety malicious code
To protect themselves from threats such as Konfety, according to WhiteHat experts, personal users and businesses need to take the following precautions:
For personal users:
  • Do not install an APK from an unknown source, only install the app from the Google Play Store or official source: Avoid downloading apps from websites of unknown origin.
  • Turn on Play Protect and use mobile AV to detect distorted APKs and runtime malware.
  • Double check the permissions requirements when installing the app: Make sure the app does not require unnecessary permissions.
  • Regularly update your operating system and security software: To protect your device from the latest threats.
  • Block Telegram’s fraudulent domain using a firewall/DNS, warn when scanning QR code.
For business:
  • Mobile device monitoring (MDM): Ensuring that devices in the enterprise system are not contaminated with malicious code.
  • Strict BYOD policy: Ensures that employees who use personal equipment at work must comply with security regulations.
  • Security Awareness Training for End Users: Helps employees to recognize the risks from malware.
  • EDR/MTD technology integration: For rapid detection and response to terminal threats.
Konfety malicious code has demonstrated that malware today is increasingly sophisticated and difficult to detect. Protection of devices from these threats requires heightened vigilance from both personal and corporate users. Always be cautious when installing apps, especially from unofficial sources, and maintain strong security measures to protect your device from potential harm.
Synthetic WhiteHat