Threat actors are using Android APKs with unknown or unsupported compression methods to evade malware analysis. According to the findings from Zimperium, 3,300 APKs are using these unusual anti-analysis methods, which might cause many of them to crash. However, the researchers found a subset of 71 malicious APKs that work fine on Android OS version 9 (API 28) and later.

There is no evidence that the apps were available on the Google Play Store at any point in time. We can safely say that the apps were distributed through other means. Typically untrusted app stores or social engineering trick the victims into sideloading them.

The APK files use “a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed,” security researcher Fernando Ortega said. “In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method.”

The advantage of such an approach is its ability to resist decompilation tools. However, you can instal them on Android devices whose operating system version is above Android 9 Pie.

The cybersecurity firm said it started its own analysis after a post from Joe Security on X in June 2023 about an APK file that exhibited this behaviour.

Android packages use the ZIP format in two modes, one without compression and one using the DEFLATE algorithm. The crucial finding here is that APKs packed using unsupported compression methods are not installable on handsets running Android versions below 9. However, they work properly on subsequent versions.

In addition, Zimperium discovered that malware authors are also deliberately corrupting the APK files. They are having filenames with more than 256 bytes and malformed AndroidManifest.xml files to trigger crashes on analysis tools.

Previously, Google revealed that threat actors are leveraging a technique called versioning. It evades its Play Store’s malware detections and targets Android users.

See Also: Goldoson Android Malware: Govt Issues Cyber Attacks Advisory


Photo of Onsa Mustafa

Onsa Mustafa

Onsa is a Software Engineer and a tech blogger who focuses on providing the latest information regarding the innovations happening in the IT world. She likes reading, photography, travelling and exploring nature.