Konfety copies legitimate Google Play apps' names and becomes a "decoy twin" distributed in other app stores.
Additional obfuscation techniques have been integrated into the new iteration of the Android app-spoofing Konfety malware, which facilitates unauthorised app downloads, malicious site visits, and bogus browser notifications.
According to a Zimperium analysis and reported by BleepingComputer, aside from copying legitimate Google Play apps' names and branding to become "decoy twins" distributed in other app stores, Konfety also harnesses dynamic code loading involving nefarious logic concealment within an encrypted DEX file.
This alters APK files to prompt parsing failures or fake password prompts due to lack of analysis tool support and false encryption signals.
Installation of the malware then facilitates the shrouding of app icons and names and the subsequent use of geofencing to allow user location-based behaviours, said Zimperium researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
