Tuesday, July 16, 2024

3,000+ Android Malware Using Unique Compression Methods to Avoid Detection

Android Smartphones play a vital role in our daily lives, as they help us stay connected and, not only that, they also help in performing several daily tasks like:

  • Shopping
  • Banking
  • Browsing
  • Connections

But, besides this, it also attracts the attention of cybercriminals or threat actors since smartphones hold our valuable and confidential data.

Cybersecurity researchers at Zimperium zLab recently identified an application package file (APK) dubbed “a.apk” that could be installed on the Android OS version above Android 9 Pie, but it can’t be scanned from most of the anti-decompilation tools.

THE EXPERTS DETECTED this APK sample (2f371969faf2dc239206e81d00c579ff) on a Tweet published by Joe Security.

Detected APK overview

  • APK Sample Name: a.apk
  • Description: Yara detected apk with invalid zip compression
  • Analysis ID: 895672
  • MD5: 2f371969faf2dc239206e81d00c579ff
  • SHA1: 0ad5289c6b7a438e3970149b183e74b89f534109
  • SHA256: b3561bf581721c8
  • Rule: JoeSecurity_apk_invalid_zip_compression

Android Malware Unique Compression

While this sample prevents the decompilation by employing a decompression method that is entirely unsupported within its APK, a zip file makes the complete analysis difficult for many tools.

Classification (Source – Joe Sandbox)

However, though it’s an old method, it’s sophisticated in nature and involves altering APK compression algorithms to evade the automatic script analysis so, that the static examination could be prevented.

With a 16-bit scope, 65,536 options exist, but Android’s APK, utilizing ZIP, accommodates just two compression methods.

Here below, we have mentioned those two compression methods:

  • STORED method (0x0000)
  • DEFLATE (0x0008) compression algorithm

Moreover, the unsupported compression methods in Android versions below 9 block installation, but it function properly in the case of the above Android 9 version.

Certain tools, like MacOS Archive Utility, fail to extract critical analysis files like “AndroidManifest.xml” from the APK. But, besides this, the JEB, in its latest release, has now fixed this flawed compression.

Techniques Detected

Here below we have mentioned all the techniques that the security analysts detect:-

  • Filenames with more than 256 bytes
  • Malformed AndroidManifest.xml file
  • Malformed String Pool

Cybersecurity analysts at Zimperium zLabs discovered that to prevent the analysis, all the 3,300  samples were utilizing ‘unsupported unknown compression,’ they even found some too corrupted for the OS to load.

Out of these identified malicious samples, security analysts were able to find only 71 Android OS-loadable negative samples, and among these samples, none of them are available in Google Play Store at the moment.


Malicious apps using an unsupported unknown compression method:-

  • com.freerdplalobydarkhack.con
  • package.name.suffix
  • com.google.android.inputmethod.latia
  • numeric.contents.desktor
  • health.karl.authority
  • charlie.warning.professional
  • imperial.xi.asia
  • turner.encouraged.matches
  • insta.pro.prints
  • com.ace.measures
  • eyes.acquisition.handed
  • xhtml.peripherals.bs
  • com.google.services
  • google.clood.suffix
  • friends.exec.items
  • com.deveops.frogenet.service
  • com.yc.pfdl
  • publicity.inter.brooklyn
  • consist.prior.struck
  • disaster.considering.illinois
  • splash.app.main
  • labeled.configuring.servies
  • regarded.editors.association
  • com.appser.verapp
  • widely.sharp.rugs
  • handmade.catalogs.urgent
  • com.gem.holidays
  • lemon.continental.prince
  • com.koi.tokenerror
  • cmf0.c3b5bm90zq.patch
  • com.ilogen.com
  • one.enix.smsforward
  • com.app.app
  • per.hourly.wiki
  • com.mobihk.v
  • com.gmail.net
  • broadway.ssl.seasonal
  • Fees.abc.laugh
  • tjb0n81d.j9hqk.eg0ekih
  • 9fji8.pgzckbu7.nuputk
  • bullet.default.til
  • factor.apnic.constitutes

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.


Latest articles

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles