Beware of BadPack: One Weird Trick Being Used Against Android Devices

July 16, 2024, 1:26 p.m.

Description

The report examines the recent trend of BadPack Android malware, which utilizes tampered headers to obstruct analysis tools. It explores the effectiveness of various freely available utilities for analyzing BadPack Android Package Kit (APK) files. The report dissects the structure of APK files and how malware authors manipulate local and central directory headers to evade detection. Additionally, it traces the Android codebase implementation responsible for the discrepancy between analysis tools and the Android runtime regarding BadPack APK extraction. The analysis provides insights into the manifestation of the BadPack technique and its impact on popular Android reverse engineering tools.

Date

Published: July 16, 2024, 1:03 p.m.

Created: July 16, 2024, 1:03 p.m.

Modified: July 16, 2024, 1:26 p.m.

Indicators

90c41e52f5ac57b8bd056313063acadc753d44fb97c45c2dc58d4972fe9f9f21

131135a7c911bd45db8801ca336fc051246280c90ae5dafc33e68499d8514761

0003445778b525bcb9d86b1651af6760da7a8f54a1d001c355a5d3ad915c94cb

015bd2e799049f5e474b80cbbdcd592ce4e2dfbfae183bada86a9b6ec103e25e

Attack Patterns

TeaBot

Cerberus

BianLian

T1036.003

T1195.002

T1583.001

T1543.003

T1059.006

T1036.004

T1564.003

T1064

T1574.002

T1059.005

T1497.001

T1059.001

T1059.007

T1071.001

T1518.001

T1036.005

T1518

T1082

T1027

T1195