Android Package with Unsupported Versions is the New Tool for Data Evasion

Cyber attackers are utilizing Android Package (APK) files containing unfamiliar or unsupported compression techniques to avoid detection during malware analysis. Zimperium’s investigation revealed 3,300 instances where these compression methods were employed, with 71 samples able to infiltrate the operating system seamlessly. 

The researchers said: “We identified 71 malicious samples that the Android OS is able to load properly. None of these applications are currently available in the Google PlayStore and we do not have any evidence to support that they were at any point in time. For this reason, it’s likely that the distribution method was through third party stores or through tricking the user to sideload the app using some sort of social engineering or phishing attack.”

How was it distributed?

These apps were never listed on the Google Play Store, indicating alternative distribution channels like untrusted app stores or manipulation via social engineering to coax victims into sideloading them.

The APK files employ a tactic that makes it hard for various tools to decompile the application for analysis. According to security researcher Fernando Ortega, this is achieved by using an unsupported decompression method within the APK, which essentially functions as a ZIP file. This method maintains its resistance to decompilation tools, all while being compatible with Android devices running operating system versions above Android 9 Pie.

What is the best way to bypass #Malware analysis on #Android? Checkout the local and central Zipfile header of APK 2f371969faf2dc239206e81d00c579ff and tell us what you see. We tested various tools and they all failed. https://t.co/WZoAggsnMy pic.twitter.com/cItKYyN2eq

— Joe Security (@joe4security) June 28, 2023

Zimperium Analysis

Zimperium, a cybersecurity company based in Texas, embarked on its analysis journey following a June 2023 post by Joe Security on X (formerly Twitter). This post drew attention to an APK exhibiting the described behavior.

The packaging of Android files is typically done in modes: 

• One without compression and 
• Another is using the DEFLATE algorithm. The pivotal discovery is that APKs employing non-supported compression methods can’t be installed on Android devices running versions earlier than 9, but they function smoothly on subsequent versions.

Moreover, Zimperium unveiled that malware creators are intentionally causing corruption in the APK files by using filenames exceeding 256 characters and malformed AndroidManifest.xml files. This strategic move leads to crashes on analysis tools.

Will being secure always remain a question?

The approach particularly effectively targets Android devices running versions above Android 9 Pie, allowing these malicious APKs to infiltrate systems undetected. The ability to sidestep traditional analysis tools and techniques demonstrates the adaptability and resourcefulness of cyber criminals.

These developments coincide with Google’s recent revelation about exploiting versioning to exploit its Play Store’s malware detection mechanisms. This combined effort of cyber attackers to exploit vulnerabilities at multiple levels emphasizes the urgent need for continuous vigilance, updated security protocols, and a proactive approach to be secure.