Cybersecurity researchers have identified a concerning trend of malicious Android apps that are able to evade detection by mobile antivirus software using a unique approach involving APK (Android Package) compression methods.
These malicious apps use unknown or unsupported compression methods for their APKs. When researchers or antivirus programs attempt to unzip and analyze the APK, they are unable to do so due to the unfamiliar compression method. As a result, the apps can’t be deemed malicious based on the traditional analysis methods used by antivirus software.
The Android operating system, however, is still able to run these apps without any issues. This evasion technique has been observed in apps specifically targeting Android 9 and newer versions, as older versions do not support these apps.
This method was first discovered by Joe Security and later confirmed by other cybersecurity firms such as Zimperium and zLab. Zimperium’s report highlighted that around 3,300 APKs are currently evading detection using this method. It’s important to note that these apps are not found on the official Google Play Store, meaning they are being distributed through alternative channels. While this reduces the number of potential victims, it also makes it harder to track and remove the malicious apps.
To protect themselves, users are advised to:
- Check for the list of app hashes provided by Zimperium’s report to identify potentially malicious apps.
- Uninstall any suspicious apps from their devices.
- Scan their devices with an Android antivirus app to ensure no residual threats.
- Be cautious of apps that request excessive permissions.
It’s worth noting that this evasion technique is not the only one being used by attackers, as they are employing various methods to avoid analysis and detection by security tools.
