Evading Detection: Stealthy APK Compression Tactics in Thousands of Android Malware Apps
A recent study by Zimperium has uncovered a worrisome trend among threat actors. They are using obscure and unsupported compression methods in Android Package (APK) files to avoid being detected by malware analysis. These methods were found in 3,300 artifacts found in the wild. Out of these artifacts, 71 samples can be easily integrated into an operating system without any issues.
It's important to note that these apps were never available on the Google Play Store. This suggests that they were distributed through untrusted third-party app stores or through manipulative social engineering tactics that convince victims to sideload them.
Android's package structure relies on the ZIP format, which can be compressed using the DEFLATE algorithm. The discovery is that APKs using unsupported compression methods can't be installed on devices running on Android versions earlier than 9. But they work on later versions of the Android system.
Furthermore, the study has revealed that malware authors are intentionally tampering with APK files by exceeding the standard filename length of 256 bytes and creating malformed AndroidManifest.xml files. These tactics are designed to cause crashes in analysis tools and impede thorough examinations.
Interestingly, this discovery comes shortly after Google disclosed that malicious actors are using a technique called "versioning" to evade its Play Store's malware detection mechanisms. This maneuver is part of a broader effort to target unsuspecting Android users with malicious intent.
Source: https://thehackernews.com/2023/08/thousands-of-android-malware-apps-using.html