There’s a dangerous game of hide and seek taking place on your phone. The tradecraft behind the malicious app industry is fast becoming as much about hiding as attacking. If you can’t be seen, then you can’t be deleted. And more damage will be done.
That’s the crux of the new warning from Zimperium, whose zLabs team followed up on Human’s report into Konfety evil twin attacks that I covered a year ago. “At its peak,” Human said, “Konfety-related programmatic bids reached 10 billion requests per day.”
“Bids per day” because this is an adware (advertising fraud) attack. The ruse is simple. The bad actors create two versions of an app with the same name. One is benign and is uploaded to Google’s Play Store, with some basic, barely useful features. The second “evil twin” version of the app is dangerous, and is distributed via other channels.
The evil twin overloads its host phone with unwanted ads, often taking up the entire screen, making it difficult to actually operate the phone. This generates revenue for the bad actors, tricking legitimate advertisers into paying for fraudulently delivered ads.
Now, “as part of our ongoing mission to identify emerging threats to mobile security,” Zimperium says it has been “actively tracking a new, sophisticated variant” of the threat.
The zLabs team says the threat actors behind Konfety “consistently alter their targeted ad networks and update their methods to evade detection.” In the latest variants of the malware, this includes “specifically tampering with the APK’s ZIP structure… to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.”
The scale of this adware industry is out of control. Not all attacks operate in this scale way, but they are mostly (but not always) driven by apps sideloaded from outside the official app stores. That’s the easiest way to stay safe — stop sideloading.
That’s why Google’s new Advanced Protection Mode that comes with Android 16 restricts sideloading with no option to disable or workaround that protection. Apps installed in this way carry significantly more risks to users, phones and data.
“Konfety’s operations depict the latest in a series of adaptations from ad fraudsters to cloak their activities using novel tactics that enable them to evade detection,” Human said last year. The new report from Zimperium shows nothing at all has changed.