Cybersecurity researchers are observing a growing number of malicious Android apps that successfully avoid being detected by mobile antivirus software. The trick is in the APK (Android Package) compression method.
By using an unknown or unsupported compression method, researchers (and ultimately, AV programs) cannot unzip the APK for analysis and thus cannot deem an app malicious.
The Android operating system (OS), on the other hand, doesn’t have a problem running these apps (Android 9 and newer, though – older versions don’t support these apps).
Thousands of APKs
According to BleepingComputer, the method was first spotted by Joe Security, which took to Twitter to demonstrate how an APK avoids being analyzed, yet still runs normally on an Android endpoint.
Zimperium quickly followed up on the findings, and so did zLab. The latter’s new report, issued earlier this week, argues that there are some 3,300 APKs evading detection this way, right now.
The good news is that none of these apps could be found on the Google Play Store. That means they are being distributed through other channels. While this definitely helps reduce the number of potential victims, it also means the APKs are harder to track and remove.
Zimperium’s report comes with a list of app hashes, which can allow users to identify if they have any of the malicious ones installed on their devices. Uninstalling the apps is highly recommended, as well as scanning them with an Android antivirus app afterwards, to tie any potential loose ends. Also, users are advised to be extra cautious with apps that request extraordinary permissions.
But this is not the only method the attackers are using to avoid analysis. Zimperium says APKs come with filenames larger than 256 bytes, which causes analysis tools to crash. AndroidManifest.XML file is corrupted as well, while String Pools are malformed.