News

According to Zimperium, threat actors are utilizing Android Package (APK) files with unsupported compression methods to avoid detection in malware analysis. The cybersecurity firm found 3,300 artifacts that leverage these compression algorithms, with 71 samples able to be loaded onto the operating system without any issues.

Interestingly, there is no evidence to suggest that these apps were available on the Google Play Store, indicating that they were likely distributed through untrusted app stores or social engineering tactics to trick victims into sideloading them.

The APK files employ a technique that limits the decompilation possibilities for a wide range of tools, making it difficult to analyze their contents. By using an unsupported decompression method within the APK, threat actors can resist decompilation while still being able to install the app on Android devices running operating systems above Android 9 Pie.

Zimperium began its own analysis after a post from Joe Security on X (previously Twitter) in June 2023 brought attention to an APK file exhibiting this behavior.

It is important to note that APK files packed using unsupported compression methods cannot be installed on Android devices running versions below 9, but they function correctly on subsequent versions. Additionally, Zimperium discovered that malware authors purposely corrupt the APK files with lengthy filenames and malformed AndroidManifest.xml files to trigger crashes in analysis tools.

This revelation follows Google’s recent disclosure where they revealed that threat actors are using a technique called versioning to bypass malware detections on the Play Store and target Android users.

For more exclusive content, follow us on Twitter and LinkedIn.

The post Threat Actors Exploit Unknown Compression Methods in Android Package Files appeared first on satProviders.