Threat Actors Using Unknown APK Compression Methods to Evade Malware Analysis

Vicky Stavropoulou

Aug 19, 2023
Zimperium, a cybersecurity firm, has discovered that threat actors are using Android Package (APK) files with unknown or unsupported compression methods to avoid detection during malware analysis. Upon investigation, Zimperium found 3,300 artifacts utilizing these compression algorithms, with 71 of the identified samples able to be loaded onto the operating system without any issues.

It is important to note that there is no evidence to suggest that these apps were ever available on the Google Play Store. Instead, they were likely distributed through alternative means such as untrusted app stores or through social engineering tactics that trick victims into sideloading them.

The APK files employ a technique that limits the ability for the application to be decompiled by various tools, thus reducing the chances of being analyzed. This is accomplished by using an unsupported decompression method within the APK, which essentially functions as a ZIP file. This approach allows the APK to resist decompilation tools while still being installable on Android devices running operating system versions above Android 9 Pie.

Zimperium began its analysis after a post from Joe Security on X (previously Twitter) in June 2023 regarding an APK file exhibiting these behaviors. Through their research, Zimperium also discovered that malware authors intentionally corrupt the APK files by including filenames with more than 256 bytes and malformed AndroidManifest.xml files. This is done to trigger crashes on analysis tools, further hampering analysis efforts.

It is important to stay vigilant and cautious when downloading apps outside of official app stores, as these alternative sources may not have the same level of scrutiny and security measures in place. Users should be careful to avoid sideloading apps from untrusted sources, as they may unknowingly expose themselves to potential malware and security risks.

