Zimperium has announced the discovery of a new, highly evasive variant of the Konfety malware targeting Android devices.
Identified by Zimperium’s zLabs team, this latest version leverages advanced obfuscation and ZIP-level evasion techniques, which reportedly makes it significantly more difficult to detect and analyse than previous iterations.
The company has reported that the Konfety malware campaign uses a deceptive dual-app strategy – leveraging the same package name for both a benign Play Store app and a malicious version distributed via third-party sources – to trick users and bypass traditional detection methods.
It reportedly further evades analysis by tampering with the APK’s structure, including declaring unsupported compression formats and manipulating ZIP headers to confuse security tools.
Nico Chiaraviglio, Chief Scientist, Zimperium commented: “This isn’t just a recycled threat – it’s a deeply engineered update designed to outsmart analysts and evade automated tools.
“The threat actors are actively modifying their tactics to stay ahead and Konfety is a prime example of how mobile malware is evolving.”
Zimperium‘s analysis confirmed Konfety leverages the CaramelAds SDK to silently deliver payloads, push persistent spam-like browser notifications, and facilitate fraud.
The campaign is said to use region-specific behaviours, geofencing European users away from suspicious sites while targeting others more aggressively.
Konfety, reportedly, manipulates Android’s APK ZIP structure in a way that causes popular reverse engineering tools to crash entirely – demonstrating a new level of sophistication in mobile malware evasion.
