Cybersecurity firm Zimperium has discovered that threat actors are utilizing Android Package (APK) files with unsupported compression methods to avoid detection and analysis. The firm found approximately 3,300 artifacts incorporating such compression algorithms, with 71 of them being easily loaded on the operating system without any issues.

It appears that these apps were not available on the Google Play Store, suggesting that they were distributed through alternative means, such as untrusted app stores or social engineering techniques designed to trick users into sideloading them.

The technique employed in these APK files restricts the application’s decompilation, making it difficult for various analysis tools to examine them thoroughly. By utilizing an unsupported decompression method within the APK, threat actors are able to limit the possibilities of analysis. Remarkably, this technique allows the APK files to be installed on Android devices running operating systems newer than Android 9 Pie.

Zimperium initiated the investigation after a post from Joe Security on X (formerly Twitter) in June 2023 highlighted an APK file exhibiting this behavior.

Typically, APKs are packed in the ZIP format, which can be compressed or uncompressed using the DEFLATE algorithm. However, APKs compressed using unsupported methods are only compatible with Android versions 9 and above.

Furthermore, Zimperium found that malware authors purposely corrupt the APK files by including filenames longer than 256 bytes and malformed AndroidManifest.xml files. This tactic aims to trigger crashes on analysis tools and hinder further examination.

These findings emerge shortly after Google uncovered threat actors utilizing versioning techniques to evade the Play Store’s malware detection capabilities and target Android users.