top of page

Threat Actors Using Unsupported Compression Methods to Elude Android Malware Analysis

In the digital world of mobile applications, cybersecurity experts are revealing a new adversary prying on the Android package (APK) files. According to a research publication from Zimperium, malevolent actors are found manipulating APKs by manipulating unknown or unsupported compression methods. This is mainly done to dodge malware analysis, posing severe threats to the Android ecosystem.

Zimperium's research delivered intriguing findings, whereby 3,300 artifacts were observed leveraging obscure or deceptively innovative compression techniques. Furthermore, despite appearing incompatible with general analysis, 71 among these samples were operable in Android systems without any perceptible anomalies. Interestingly, no traces were found suggesting these APKs were ever available on the official Google Play Store platform. This indicates the engagement of alternative distribution methods, most likely unauthorized application stores or social engineering fakery, swaying victims into sideloading these applications.

The cybersecurity investigator, Fernando Ortega, describes the technique employed by these APK files as evasion at its finest. These files are essentially zipped archives utilizing unconventional decompression methods. This effectively obstructs the decompiling of the application by most tools, significantly reducing their risk of analysis.

Despite the bane for analysts, this peculiar approach bestows several advantages upon the threat actors. This tactic proves effectual against decompilation techniques yet still successfully installs on devices operating on Android 9 Pie or more recent versions.

This pertinent insight surfaced following the Texas-based cybersecurity company Zimperium's review stimulated by a post from Joe Security on X (formerly Twitter) in June 2023. The post exposed an APK file exhibiting a similar elusive behavior.

The commonality between Android packages is the use of the ZIP format, either uncompressed or compressed using the DEFLATE algorithm. However, the spotlight in this scuffle is on APKs packed via non-traditional methods that are incompatible with earlier Android versions but compatible with the newer ones.

Adding another layer of complexity to this evasion game, Zimperium also revealed that the malicious actors intentionally disrupt the APKs. They engineer abnormalities like extending the filename beyond 256 bytes and malforming the AndroidManifest.xml files, which precipitates the crashing of various analysis tools.

This revelation comes just a few weeks after Google itself uncovered that threat actors are clandestinely manipulating a technique known as "versioning" to slip past the Google Play Store's malware detection and attack unsuspecting Android users. In this digitally treacherous landscape, it is always beneficial to stay updated with the latest cybersecurity news, insights, and tips.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page