3,000+ Android Malware Using Unique Compression Methods

Android Smartphones lay a vital role in our daily life, as they help us to stay connected and, not only that even it also helps in performing several daily tasks like:-

  • Shopping
  • Banking
  • Browsing
  • Connections

But, besides this, it also attracts the attention of cybercriminals or threat actors since smartphones hold our valuable and confidential data.

Cybersecurity researchers at Zimperium zLab recently identified an application package file (APK) dubbed “a.apk” that could be installed on the Android OS version above Android 9 Pie, but, it can’t be scanned from most of the anti-decompilation tools.

THE EXPERTS DETECTED this APK sample (2f371969faf2dc239206e81d00c579ff) on a Tweet published by Joe Security.

Detected APK overview

  • APK Sample Name: a.apk
  • Description: Yara detected apk with invalid zip compression
  • Analysis ID: 895672
  • MD5: 2f371969faf2dc239206e81d00c579ff
  • SHA1: 0ad5289c6b7a438e3970149b183e74b89f534109
  • SHA256: b3561bf581721c8
  • Rule: JoeSecurity_apk_invalid_zip_compression

Android Malware Unique Compression

While this sample prevents the decompilation by employing a decompression method that is completely unsupported within its APK which is a zip file that makes the complete analysis difficult for many tools.

Classification (Source – Joe Sandbox)

However, though it’s an old method, it’s sophisticated in nature and involves altering APK compression algorithms to evade the automatic script analysis so, that the static examination could be prevented.

With a 16-bit scope, 65,536 options exist, but Android’s APK, utilizing ZIP, accommodates just two compression methods.

Here below, we have mentioned those two compression methods:-

  • STORED method (0x0000)
  • DEFLATE (0x0008) compression algorithm

Moreover, the unsupported compression methods in Android versions below 9 block installation, but in the case of the above Android 9 version, it functions properly.

Certain tools, like MacOS Archive Utility, fail to extract critical analysis files like “AndroidManifest.xml” from the APK. But, besides this, the JEB, in its latest release, now fixed this flawed compression.

Techniques Detected

Here below we have mentioned all the techniques that are detected by the security analysts:-

  • Filenames with more than 256 bytes
  • Malformed AndroidManifest.xml file
  • Malformed String Pool

Cybersecurity analysts at Zimperium zLabs discovered that to prevent the analysis, all the 3,300  samples were utilizing ‘unsupported unknown compression,’ and they even found some too corrupted samples for the OS to load.

Out of these identified malicious samples, security analysts were able to find only 71 Android OS-loadable malicious samples, and among these samples, none of them are available in Google Play Store at the moment.

IoC

Malicious apps using an unsupported unknown compression method:-

  • com.freerdplalobydarkhack.con
  • package.name.suffix
  • com.google.android.inputmethod.latia
  • numeric.contents.desktor
  • health.karl.authority
  • charlie.warning.professional
  • imperial.xi.asia
  • turner.encouraged.matches
  • insta.pro.prints
  • com.ace.measures
  • eyes.acquisition.handed
  • xhtml.peripherals.bs
  • com.google.services
  • google.clood.suffix
  • friends.exec.items
  • com.deveops.frogenet.service
  • com.yc.pfdl
  • publicity.inter.brooklyn
  • consist.prior.struck
  • disaster.considering.illinois
  • splash.app.main
  • labeled.configuring.servies
  • regarded.editors.association
  • com.appser.verapp
  • widely.sharp.rugs
  • handmade.catalogs.urgent
  • com.gem.holidays
  • lemon.continental.prince
  • com.koi.tokenerror
  • cmf0.c3b5bm90zq.patch
  • com.ilogen.com
  • one.enix.smsforward
  • com.app.app
  • per.hourly.wiki
  • com.mobihk.v
  • com.gmail.net
  • broadway.ssl.seasonal
  • Fees.abc.laugh
  • tjb0n81d.j9hqk.eg0ekih
  • 9fji8.pgzckbu7.nuputk
  • bullet.default.til
  • factor.apnic.constitutes

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *