Cybersecurity researchers have found a brand new, refined variant of a identified Android malware known as Konfety that leverages the evil twin approach to allow advert fraud.
The sneaky method basically entails a state of affairs whereby two variants of an software share the identical bundle identify: A benign “decoy” app that is hosted on the Google Play Retailer and its evil twin, which is distributed by way of third-party sources.
It is value stating that the decoy apps do not need to be essentially revealed by risk actors themselves and may very well be reliable. The one caveat is that the malicious apps share the very same bundle names as their actual counterparts already obtainable on the Play Retailer.
“The risk actors behind Konfety are extremely adaptable, constantly altering their focused advert networks and updating their strategies to evade detection,” Zimperium zLabs researcher Fernando Ortega stated. “This newest variant demonstrates their sophistication by particularly tampering with the APK’s ZIP construction.”
Through the use of malformed APKs, the tactic permits risk actors to sidestep detection and problem reverse engineering efforts. In addition to dynamically loading the principle DEX (Dalvik Executable) payload at runtime, the newly found variations allow the general-purpose bit flag by setting it to “Bit 0,” signaling to the system that the file is encrypted.
This conduct, in flip, triggers a false password immediate when trying to examine the Android bundle, thereby blocking entry and complicating makes an attempt to research its contents.
The second approach entails falsely declaring using BZIP compression technique within the app’s manifest XML file (“AndroidManifest.xml”), inflicting evaluation instruments like APKTool and JADX to crash resulting from a parsing failure. An analogous compression-based protection evasion approach was beforehand highlighted by Kaspersky in one other Android malware known as SoumniBot.
The usage of dynamic code loading to execute the first payload affords added stealth throughout preliminary scans or reverse engineering, Zimperium famous. Throughout execution, the DEX payload is decrypted and loaded instantly into reminiscence with out attracting any crimson flags.
“This multi-layered obfuscation method, combining encrypted belongings, runtime code injection, and misleading manifest declarations, demonstrates the evolving sophistication of the Konfety operation and its steady efforts to evade evaluation and bypass detection mechanisms,” Ortega stated.
Just like the earlier iteration reported by HUMAN final yr, Konfety abuses the CaramelAds software program growth equipment (SDK) to fetch advertisements, ship payloads, and preserve communication with attacker-controlled servers.
It comes with capabilities to redirect customers to malicious web sites, immediate undesirable app installs, and set off persistent spam-like browser notifications. Moreover, the malware hides its app icon and makes use of geofencing to change its performance based mostly on the sufferer’s area.
The event comes as ANY.RUN detailed a Chinese language Android packer software often called Ducex that is primarily designed to hide embedded payloads like Triada inside faux Telegram apps.
“The packer employs severe obfuscation via operate encryption utilizing a modified RC4 algorithm with added shuffling,” ANY.RUN researcher Alina Markova stated. “Ducex creates main roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It additionally employs self-debugging utilizing fork and ptrace to dam exterior tracing.”
On prime of that, Ducex is designed to detect the presence of standard evaluation instruments comparable to Frida, Xposed, and Substrate, and if current, terminate itself.
The findings additionally comply with a brand new examine revealed by a staff of researchers from TU Wien and the College of Bayreuth a couple of novel approach dubbed TapTrap that may be weaponized by a malicious app to covertly bypass Android’s permission system and achieve entry to delicate information or execute harmful actions.
The assault, in a nutshell, hijacks person interactions on Android units by overlaying animations or video games on a person’s display, whereas surreptitiously launching person interface components beneath that trick customers into performing undesirable actions, comparable to putting in malware or granting the app intrusive permissions.
“Usually, Android exhibits an animation when the display adjustments, comparable to the brand new display sliding or fading in,” researchers Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer stated. “Nonetheless, the app can inform the system {that a} customized animation must be used as an alternative that’s long-running and makes the brand new display absolutely clear, preserving it hidden from you.”
“Any faucets you make throughout this animation go to the hidden display, not the seen app. The app can then use this to lure you into tapping on particular areas of the display that correspond to delicate actions on the hidden display, permitting it to carry out actions with out your information.”
In a hypothetical assault state of affairs, a risk actor-released recreation put in by the sufferer can secretly open an online browser session and dupe them into granting digital camera permissions to a malicious web site.
That stated, TapTrap’s affect extends past the Android ecosystem, opening the door to tapjacking and net clickjacking assaults. The problem has been addressed in GrapheneOS, Chrome 135 (CVE-2025-3067), and Firefox 136 (CVE-2025-1939). Android 16 continues to stay inclined to the assault.
