Beware of BadPack: One Weird Trick Being Used Against Android Devices

July 16, 2024, 1:26 p.m.

Description

The report examines the recent trend of BadPack Android malware, which utilizes tampered headers to obstruct analysis tools. It explores the effectiveness of various freely available utilities for analyzing BadPack Android Package Kit (APK) files. The report dissects the structure of APK files and how malware authors manipulate local and central directory headers to evade detection. Additionally, it traces the Android codebase implementation responsible for the discrepancy between analysis tools and the Android runtime regarding BadPack APK extraction. The analysis provides insights into the manifestation of the BadPack technique and its impact on popular Android reverse engineering tools.

External References

https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/
https://otx.alienvault.com/pulse/66966fac237aaa1d4bc4fb61
Tags
android
2024-07-16
apk
badpack

Date

  • Created: July 16, 2024, 1:03 p.m.
  • Published: July 16, 2024, 1:03 p.m.
  • Modified: July 16, 2024, 1:26 p.m.

Indicators

  • 90c41e52f5ac57b8bd056313063acadc753d44fb97c45c2dc58d4972fe9f9f21
  • 131135a7c911bd45db8801ca336fc051246280c90ae5dafc33e68499d8514761
  • 0003445778b525bcb9d86b1651af6760da7a8f54a1d001c355a5d3ad915c94cb
  • 015bd2e799049f5e474b80cbbdcd592ce4e2dfbfae183bada86a9b6ec103e25e
Download all indicators here!

Attack Patterns

  • TeaBot
  • Cerberus
  • BianLian
  • T1036.003
  • T1195.002
  • T1583.001
  • T1543.003
  • T1059.006
  • T1036.004
  • T1564.003
  • T1064
  • T1574.002
  • T1059.005
  • T1497.001
  • T1059.001
  • T1059.007
  • T1071.001
  • T1518.001
  • T1036.005
  • T1518
  • T1082
  • T1027
  • T1195