To avoid malware analysis, threat actors use Android APKs with unsupported or unidentified compression techniques. Zimperium’s findings show that 3,300 APKs are using these peculiar anti-analysis techniques, which could lead to many of them crashing. A subset of 71 malicious APKs, however, were discovered by the researchers to be compatible with Android OS versions 9 (API 28) and beyond.
There is no proof that the apps were ever made available through the Google Play Store. Without a doubt, the programs were spread in different ways. Typically, victims are tricked into sideloading apps by unreliable app stores or by social engineering.
Thousands of Android APKs Use Compression Methods to Evade Malware Analysis
The APK files employ “a technique that limits the possibility of decompiling the application for a large number of tools, reducing th
ybersecurity company claimed that after reading Joe Security’s post on X in June 2023 about an APK file that displayed similar behavior, it began its own investigation.
Two ZIP formats are used by Android packages: one without compression and the other using the DEFLATE algorithm. The most important discovery is that devices running Android versions lower than 9 cannot install APKs that have been compressed using unsupported techniques. On later versions, they do, however, function correctly.
Zimperium also found evidence of deliberate APK file corruption by malware developers. They have filenames that are longer than 256 characters and corrupt AndroidManifest.xml files that cause analysis tools to crash.
Google has disclosed that threat actors use a method known as versioning. It targets Android users while avoiding malware detection on the Play Store.