Konfety (virus)

Chronicle

2025: Infection of a Million Devices

Cybersecurity experts from Zimperium have discovered an improved version of the Android malware Konfety, which uses non-standard ZIP archives and encrypted code to bypass security systems. The virus infiltrated Google Play, leaving millions of devices infected around the world. This became known in mid-July 2025.

Malicious software can effectively bypass automatic analytics and remain unnoticed on users' devices. The new version uses dynamic loading of encrypted executable code during operation, which significantly complicates its detection.

𝓲

Фото: Freepik

The main feature of the updated version is the cunning modification of the ZIP archive in the APK file. Attackers have turned on a flag that causes many analysis tools to mistakenly perceive the file as encrypted. Some utilities require a password to unpack, others cannot disassemble the file structure at all.

Additional confusion is caused by the indication of an inappropriate compression method in AndroidManifest.xml. The file claims that BZIP is used, but in fact no compression occurs in this way. This leads to partial unpacking or failures in analysis tools, which seriously complicates the work with infected files.

The Android operating system processes such non-standard ZIP files without failures and successfully installs a malicious application without issuing warnings. Specialized analysis tools such as APKTool and JADX can request a non-existent password or shut down with an error.

The new version of Konfety uses dynamic loading of encrypted executable code during operation. It is not visible in advance when checking the APK file in a standard way. Inside the malicious application there is a secondary DEX file, encrypted and hidden in resources.^[1]

Notes