How Thousands Of Malicious Android Apps Are Hiding In Plain Sight

This month, researchers at Zimperium’s zLab reported on a means by which thousands of Android malware samples were evading detection and analysis. It is claimed that over three thousand samples use this technique, which involves tampering with the field that establishes what compression method is used for the application package file (APK).

In June, the researchers noted a tweet from Joe Sandbox mentioning that an APK file could not be analyzed with tools but could be installed on Android devices with an OS version higher than Android 9. For context, APK files are more or less ZIP files with similar headers, such as the compression method field. Traditionally, Android APKs only use two compression methods, without any compression or the STORED method or DEFLATE compression algorithm. While only two options are supported, the field indicating what method is used is a 16-bit field, meaning that one could technically define 65,536 methods.


Given this, the malware creators could modify this field to be anything other than the STORED or DEFLATE methods. This proves to be problematic for automatic tools and scripts used for analysis, as said tools cannot handle what appears to be a broken file. However, Android, on the other hand, has handling built in for this with Android 4.3 and above, assuming the method to be DEFLATE if it does not match stored, and the inverse for below Android 4.3. Further, in Android versions 9 and below, applications with unknown compression methods are not installable but normally work on versions above 9.

Therefore, malicious apps can effectively break automated analysis attempts while still being installable on newer versions of Android. There are a few other methods that the researchers found, such as employing filenames longer than 256 bytes, using malformed AndroidManifest.xml files, and implementing a malformed string pool. In any event, these techniques are not necessarily new (PDF) but are still problematic for researchers trying to track Android malware.

The Zimperium researchers ultimately found 3,300 samples using the unknown or unsupported compression method to prevent analysis. Of course, many of the samples were corrupted so much that the operating system could not actually load the application. However, 71 of these samples were found to load properly, though they were not currently available nor potentially ever available through the Google Play Store. It is thought that these apps would be sideloaded through some trickery like social engineering, thus making them less of an overall security threat to the average person.