14.9 C
New York
Saturday, April 20, 2024

1000’s of Android Malware Apps Utilizing Stealthy APK Compression to Evade Detection

Aug 19, 2023THNCellular Safety / Malware

Android Malware Apps

Risk actors are utilizing Android Bundle (APK) recordsdata with unknown or unsupported compression strategies to elude malware evaluation.

That is in line with findings from Zimperium, which discovered 3,300 artifacts leveraging such compression algorithms within the wild. 71 of the recognized samples might be loaded on the working system with none issues.

There isn’t any proof that the apps have been obtainable on the Google Play Retailer at any cut-off date, indicating that the apps have been distributed via different means, sometimes by way of untrusted app shops or social engineering to trick the victims into sideloading them.


The APK recordsdata use “a way that limits the potential for decompiling the appliance for numerous instruments, decreasing the chances of being analyzed,” safety researcher Fernando Ortega stated. “As a way to do this, the APK (which is in essence a ZIP file), is utilizing an unsupported decompression methodology.”

The benefit of such an strategy is its means to withstand decompilation instruments, whereas nonetheless with the ability to be put in on Android gadgets whose working system model is above Android 9 Pie.

The Texas-based cybersecurity agency stated it began its personal evaluation after a publish from Joe Safety on X (beforehand Twitter) in June 2023 about an APK file that exhibited this habits.


Android packages use the ZIP format in two modes, one with out compression and one utilizing the DEFLATE algorithm. The essential discovering right here is that APKs packed utilizing unsupported compression strategies will not be installable on handsets working Android variations beneath 9, however they work correctly on subsequent variations.

As well as, Zimperium found that malware authors are additionally intentionally corrupting the APK recordsdata by having filenames with greater than 256 bytes and malformed AndroidManifest.xml recordsdata to set off crashes on evaluation instruments.

The disclosure comes weeks after Google revealed that menace actors are leveraging a way referred to as versioning to evade its Play Retailer’s malware detections and goal Android customers.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles