Cybersecurity researchers have discovered a new, sophisticated variant of known Android malware called Konfety, which utilizes evil twin techniques to enable ad fraud.
The sleazy approach essentially involves a scenario in which two variants of an application share the same package name. The benign “decoy” app hosted by the Google Play Store and its evil twins is distributed through third-party sources.
It is worth pointing out that decoy apps do not necessarily need to be published by the threat actors themselves and may be legal. The only warning is that malicious apps share the exact same package name as the actual counterparts already available in the Play Store.
“The threat actors behind Konfety are highly adaptable and will update how to consistently change targeted ad networks and avoid detection,” says Fernando Ortega, a researcher at Zimperium Zlabs. “This latest variant shows refinement by specifically tampering with the APK’s ZIP structure.”
By using malformed APKs, this tactic allows threat actors to avoid detection and challenge reverse engineering efforts. In addition to dynamically loading the main DEX (Dalvik executable) payload at runtime, the newly discovered version enables the generic bit flag by setting it to “bit 0” on the system where the file is encrypted.
This behavior triggers an incorrect password prompt when trying to inspect an Android package, thereby blocking access and complicating attempts to analyze its contents.
The second technique incorrectly declares the use of BZIP compression in the app’s manifest XML file (“AndroidManifest.xml”), causing analysis tools like APKTOOL and JADX to crash due to analysis failures. A similar compression-based defense evasion technique was previously highlighted by Kaspersky in another Android malware called Soumnibot.
Running the main payload using dynamic code loading gives you additional stealth during the initial scan or reverse engineering, Zimperium pointed out. During execution, the Dex payload is decrypted and loaded directly into memory without attracting the red flag.
“This multi-layered obfuscation approach, combining encrypted assets, runtime code injection, and deceptive manifest declarations, demonstrates the evolving refinement of confetti operations and the ongoing efforts of analysis and bypass detection mechanisms,” Ortega said.
Similar to previous iterations reported by Human last year, Konfety abuses the Caramelads Software Development Kit (SDK) to obtain ads, deliver payloads, and maintain communication with attacker-controlled servers.
It comes with the ability to redirect users to malicious websites, prompt them to install unnecessary apps, and trigger permanent spam-like browser notifications. Additionally, malware hides the app’s icon and uses geofencing to change functionality based on the victim’s region.
The development details any.run in detail the Chinese Android Packer tool known as Ducex. It is primarily designed to hide embedded payloads like Triada within fake Telegram apps.
“Pucker employs severe obfuscation via functional encryption, using a modified RC4 algorithm with added shuffling,” says Alina Markova, a researcher at Any.Run. “Ducex creates a major failure for debugging. It performs APK signature verification and fails if the app is re-signed. It also employs self-employment that uses forks and PTRACE to block external tracing.”
Additionally, Ducex is designed to detect the presence of popular analytical tools such as Frida, Xposed, and Substrate, and if present it will exit itself.
The findings follow a new study in which a team of researchers from Tu Wien and Bayreuth University have published new techniques that can be weaponized by malicious apps, secretly bypass Android’s permission system, and perform sensitive data access and destructive behavior.
In short, this attack hijacks user interactions on Android devices by overlaying the user’s screen and games, secretly launching user interface elements underneath them, and performs unwanted actions such as installing malware or granting app intrusion permissions.
“Usually, Android shows animation when the screen changes, such as new screen slides or fade-in,” said researchers Philip Beer, Marco Squalsina, Sebastian Ross and Martina Lindorfer. “However, the app can show the system that it should use custom animations instead. Instead, it will be used for a long time, leaving the new screen completely transparent and hidden.”
“The taps you create during this animation will move you to a hidden screen, not a visible app. The app can use this to tap on a specific area of the screen that corresponds to a sensitive action on a hidden screen, allowing you to perform the action without your knowledge.”
In a hypothetical attack scenario, games released by threat actors installed by victims will secretly open a web browser session and grant camera permission to malicious websites.
That said, the impact of TapTrap has expanded beyond the Android ecosystem, opening the door to TapJacking and Web Clickjacking Attack. This issue has been addressed in Grapheneos, Chrome 135 (CVE-2025-3067), and Firefox 136 (CVE-2025-1939). Android 16 will remain susceptible to attacks.
Source link
