Zimperium has announced the discovery of a new, highly evasive variant of the Konfety malware targeting Android devices.
Identified by Zimperium’s zLabs team, this latest version leverages advanced obfuscation and ZIP-level evasion techniques, making it significantly more difficult to detect and analyze than previous iterations, Zimperium adds.
The company says that the Konfety malware campaign uses a deceptive dual-app strategy, leveraging the same package name for both a benign Play Store app and a malicious version distributed via third-party sources, to trick users and bypass traditional detection methods.
It further evades analysis by tampering with the APK’s structure, including:
Zimperium explains that Konfety manipulates Android’s APK ZIP structure in a way that causes popular reverse engineering tools to crash entirely, demonstrating a new level of sophistication in mobile malware evasion.
The company’s analysis confirmed Konfety leverages the CaramelAds SDK to silently deliver payloads, push persistent spam-like browser notifications and facilitate fraud.
The campaign uses region-specific behaviors, geofencing European users away from suspicious sites while targeting others more aggressively.
Zimperium notes that among the most alarming tactics is:
Nico Chiaraviglio, Chief Scientist at Zimperium commented: “This isn’t just a recycled threat, it’s a deeply engineered update designed to outsmart analysts and evade automated tools.
“The threat actors are actively modifying their tactics to stay ahead and Konfety is a prime example of how mobile malware is evolving,” he concluded.