In a concerning trend, cyber threat actors have been exploiting lesser-known or unsupported compression methods within Android Package (APK) files, enabling them to circumvent conventional malware analysis protocols.
Recent investigations by Zimperium, a leading cybersecurity firm, have revealed the existence of around 3,300 instances employing these unconventional compression algorithms. Strikingly, out of the identified artifacts, 71 samples have the ability to seamlessly integrate into the operating system without encountering any hindrance.
Notably absent from the Google Play Store, these suspicious applications appear to have been disseminated through alternative channels, often leveraging untrusted third-party app repositories or exploiting social engineering tactics to manipulate users into sideloading them.
The architects behind these APK files have employed a sophisticated strategy that hampers the decompilation process by a plethora of analysis tools. Fernando Ortega, a security researcher, explained, “The APK (essentially a ZIP file) utilizes an unsupported decompression method, limiting the avenues for application decompilation.”
The most significant advantage of this approach is its effectiveness in thwarting decompilation attempts, all while remaining compatible with Android devices powered by operating system versions beyond Android 9 Pie.
The impetus for Zimperium’s examination was triggered by a June 2023 post on X (formerly Twitter) by Joe Security, detailing an APK file that demonstrated these evasive behaviors.
Within the Android ecosystem, APK files can be packaged in two formats – one devoid of compression and the other utilizing the widely-used DEFLATE algorithm. The crux of the matter lies in APKs that employ unsupported compression methods. These cannot be successfully installed on devices operating on Android versions prior to 9, yet they function seamlessly on subsequent iterations.
Moreover, Zimperium’s investigation unveiled an additional layer of subterfuge employed by malware creators. By incorporating filenames that exceed 256 characters and malformed AndroidManifest.xml files, they deliberately trigger crashes in analysis tools, compounding the challenge for researchers.
This revelation surfaces mere weeks following Google’s disclosure of threat actors leveraging versioning techniques to outmaneuver the malware detection mechanisms on the Play Store, posing a formidable threat to Android users worldwide.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.