Additional obfuscation techniques have been integrated into the new iteration of the Android app-spoofing Konfety malware, which facilitates unauthorized app downloads, malicious site visits, and bogus browser notifications, reports BleepingComputer.
Aside from copying legitimate Google Play apps' names and branding to become "decoy twins" distributed in other app stores, Konfety also harnesses dynamic code loading involving nefarious logic concealment within an encrypted DEX file, as well as alters APK files to prompt parsing failures or fake password prompts due to lack of analysis tool support and false encryption signals, respectively, according to a Zimperium analysis. Installation of the malware then facilitates the shrouding of app icons and names and the subsequent use of geofencing to allow user location-based behaviors, said Zimperium researchers. Such findings follow a Kaspersky report detailing fellow Android malware SoumniBot's exploitation of compression-based obfuscation to facilitate compromise.
Aside from copying legitimate Google Play apps' names and branding to become "decoy twins" distributed in other app stores, Konfety also harnesses dynamic code loading involving nefarious logic concealment within an encrypted DEX file, as well as alters APK files to prompt parsing failures or fake password prompts due to lack of analysis tool support and false encryption signals, respectively, according to a Zimperium analysis. Installation of the malware then facilitates the shrouding of app icons and names and the subsequent use of geofencing to allow user location-based behaviors, said Zimperium researchers. Such findings follow a Kaspersky report detailing fellow Android malware SoumniBot's exploitation of compression-based obfuscation to facilitate compromise.




