This Android malware avoids detection with a clever trick
An unsupported compression method works wonders
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurity researchers are observing a growing number of malicious Android apps that successfully avoid being detected by mobile antivirus software. The trick is in the APK (Android Package) compression method.
By using an unknown or unsupported compression method, researchers (and ultimately, AV programs) cannot unzip the APK for analysis and thus cannot deem an app malicious.
The Androidoperating system(OS), on the other hand, doesn’t have a problem running these apps (Android 9 and newer, though - older versions don’t support these apps).
Thousands of APKs
According to BleepingComputer, the method was first spotted by Joe Security, which took to Twitter to demonstrate how an APK avoids being analyzed, yet still runs normally on an Android endpoint.
Zimperium quickly followed up on the findings, and so did zLab. The latter’s new report, issued earlier this week, argues that there are some 3,300 APKs evading detection this way, right now.
Over 50 Chinese apps banned in fresh crackdown by the Indian government>Windows 11 now has much better protection against brute-force attacks>These are the best endpoint protection tools today
The good news is that none of these apps could be found on theGoogle Play Store. That means they are being distributed through other channels. While this definitely helps reduce the number of potential victims, it also means the APKs are harder to track and remove.
Zimperium’s report comes with a list of app hashes, which can allow users to identify if they have any of the malicious ones installed on their devices. Uninstalling the apps is highly recommended, as well as scanning them with anAndroid antivirusapp afterwards, to tie any potential loose ends. Also, users are advised to be extra cautious with apps that request extraordinary permissions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
But this is not the only method the attackers are using to avoid analysis. Zimperium says APKs come with filenames larger than 256 bytes, which causes analysis tools to crash. AndroidManifest.XML file is corrupted as well, while String Pools are malformed.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
HPE reveals critical security bug affecting networking access points
A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now
Ireland vs New Zealand live stream: how to watch 2024 rugby union Autumn International online from anywhere
