Konfety Returns: Classic Mobile Threat with New Evasion Techniques

July 16, 2025, 8:17 a.m.

Description

A sophisticated variant of the Android malware Konfety has been identified, employing advanced evasion techniques. The malware uses dual-app deception, ZIP-level evasion, dynamic code loading, and stealth techniques to conduct ad fraud and redirect users to malicious websites. It tampers with the APK's ZIP structure to bypass security checks and complicate reverse engineering. The malware loads encrypted assets at runtime, concealing critical functionality. It mimics legitimate apps, hides its icon, and uses geofencing to adjust behavior by region. The threat actors behind Konfety are highly adaptable, consistently updating their methods to evade detection and target various ad networks.

External References

https://github.com/Zimperium/IOC/blob/master/2025-07-Konfety/apks.csv
https://otx.alienvault.com/pulse/68775c1f3243d970b75d786c
Tags
android
konfety
2025-07-16
caramelads sdk
ad fraud infrastructure

Date

  • Created: July 16, 2025, 8 a.m.
  • Published: July 16, 2025, 8 a.m.
  • Modified: July 16, 2025, 8:17 a.m.

Indicators

  • ec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017
  • eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595
  • e61a5f23526315c249997feaa08fbf86c42e584cfd19ab070ce23e9e2ffa0023
  • d554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c
  • ca4ee1b33f69a2239efb4568fa0f2da9ee1b11145d12a539bb5db2ce61881023
  • b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759
  • a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4
  • 9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee
  • 94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22
  • 8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b
  • 7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d
  • 7f8a1ae757dcce8fc869f5f50f79d12b24c6316b5498ce5117d62ebffc8c4178
  • 73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191
  • 6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e
  • 6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1
  • 6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea
  • 602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3
  • 4d81aeb12c20131f7581ed9c00f1fdd8edb4e82ffe762959e0e32832ddf9ab7c
  • 45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab
  • 3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025
  • 362d15f5f98e5ac2fbfb1333b57e6fe08cd98b2703e18341d51424f4e749fd7a
  • 30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056
  • 30bc2c475d09f9e41f11bcdc9089b077cfc4982f9d411e62f53ca5d732424541
  • 2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce
  • 160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845
  • 0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10
Download all indicators here!

Attack Patterns

  • Konfety