Pierluigi Paganini August 19, 2023

Threat actors are using Android Package (APK) files with unsupported compression methods to prevent malware analysis.

On June 28th, researchers from Zimperium zLab researchers observed that Joe Sandbox announced the availability of an Android APK that could not be analyzed from most of the anti-decompilation tools.

The APT could be installed on Android devices running versions above Android 9 Pie (API 28).

The technique is not new, in 2014 researchers demostrated how the compression algorithm (method) used in an APK could be tampered to remove automatic script analysis and hinder static analysis. 

“However, Android’s APK, which uses the ZIP format, supports only two compression methods. One is without any compression, i.e. the STORED method (0x0000), and the other is the DEFLATE (0x0008) compression algorithm.” reads the report published by Zimperium.”Depending on the Android version, the default behavior for unknown or unsupported methods differs:

• In Android 4.3 and below, Java ZIP-handling code checks against the method being DEFLATE, and assumes that the STORED method has been used if it does not match.
• In versions greater than Android 4.3, Android ZIP-handling assumes the compression method to be DEFLATE if the method specified does not match with STORED.

In Android versions below 9, applications using unsupported/unknown compression methods are not installable, but they work properly on versions above it.”

Zimperium experts found 3,300 artifacts using these compression algorithms, they run a retrohunt on public application repositories.

Most of these samples found by the researchers are corrupted beyond the point that the OS is able to load them, however 71 malicious samples can be properly loaded by the Android OS.

The experts have found no evidence that the apps were available on the Google Play Store a circumstance that suggests they were distributed through third-party stores or attackers used social engineering to trick the victims into installing them.

The researchers also identified additional corruptions to the APK files to avoid analysis tools, such as using filenames with more than 256 bytes, malformed AndroidManifest.xml file, and Malformed String Pool.

The report also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)