To avoid the detection of malware, threat actors create Android Package (APK) files using unsupported or unidentified compression techniques.
Zimperium’s research, which discovered 3,300 artifacts using these compression techniques in the wild, supports this. The operating system can be loaded without any issues with 71 of the recognized samples.
Since there is no proof that the apps were ever made available through the Google Play Store, it is likely that they were spread through other channels, usually by tricking people into sideloading them or using dubious app stores.
The APK files employ “a method which restricts the likelihood of disassembling the app for a broad range of tools, limiting the chances of being analyzed,” according to security expert Fernando Ortega. The APK, which is essentially a ZIP file, employs an unsupported decompression mechanism to accomplish it.
The benefit of this strategy is that it can withstand decompilation tools while still being loaded on Android devices with operating systems older than Android 9 Pie.
The Texas-based cybersecurity company claimed that after reading Joe Security’s post on X (formerly Twitter) in June 2023 about an APK file that had similar behavior, it began its own investigation.
Two ZIP formats are used by Android packages: one without compression and the other employing the DEFLATE algorithm. The important discovery, in this case, is that APKs compressed using unsupported techniques are not installable on devices running Android versions lower than 9, while they function perfectly on higher versions.
Additionally, Zimperium found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to cause analysis tools to crash.
The revelation follows Google’s revelation a few weeks prior that threat actors are using a method known as a version to get around the Play Store’s malware detections and attack Android users.
About The Author:
Yogesh Naager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More News Here: