A new research reveals a novel approach at hiding malware in APK installers. Adversaries malform the header of the file, which simultaneously allows circumventing the protection, and also makes the analysis a much harder task than it usually is. Peak of this trick usage happened back in May 2024, but it did not go off the stage completely and may spike up any time.
BadPack Malware Abuses AndroidManifest File
The detailed paper on the BadPack malware shows a rather unusual tactic for analysis evasion. Con actors play with internals of APK files that make the debug/reverse engineering tools impossible to use, and also blocks any real-time analysis. At the same time, the resulting file retains the ZIP archive capabilities – carrying a set of compressed files, that are completely intact and are ready for the attack.
Main role here is after the AndroidManifest.xml file – the cornerstone of running any APK file in Android. It supplies the system with the information on how it should treat the file during execution. Malicious actors modify their APK file in a way that prevents the correct extraction of the Android Manifest. And this is what blocks pretty much any security tool from detecting the attack.
Among the key things frauds play with are compression methods that should describe the way the archive is composed. By reporting one compression option when the file uses the other, or missing the size, it is possible to do the evasion trick, while the operating system will still execute the file as if it was totally OK. And that is the exact reason of concern, as it is in fact a design flaw in the Android runtime mechanism. A more strict order of file checks in quite a substantial number of analysis tools is what makes them fail to process the malicious file.
The example of a malformed file header
Local File Header - Fields
Compression method = 0 (STORE)
Compressed size = 41192 - should be 14417
Uncompressed size = 41192
Data = \x00\x00\x08\x00 ...
Central Directory File Header - Fields
Compression method = 0 (STORE)
Compressed size = 41192 - should be 14417
Uncompressed size = 41192
How Threatening is BadPack Malware?
BadPack malware is a rather concerning find, and PaloAlto’s Unit42 did a great job at describing every bit of the attack. This issue diminishes any typical Android security steps that you would hear on websites. Uploading it to online scanners, and even using local ones to poke around in the code (if you are savvy enough) will show nothing but clean results or errors respectively. And in the selection of cases, this will be enough to make the user think “well, it is probably alright” and run the malicious file.
The question of malicious software that uses this practice is here, too. Nothing effectively stops any kind of cybercriminals from weaponizing this flaw to stay under the radar. And don’t think that Android is not their primary target: there are enough malware families that target this OS specifically. Typically, those are backdoors that form huge botnets, which further perform DDoS attacks or crypto mining.
In attacks on personal devices rather than IoT machines, spyware comes into play. It is common to see this particular malware type packed into some sketchy APK files downloaded from third party sites. But with BadPack, there will be hardly any way to detect the threat before it is too late.
How to protect your smartphone?
With all the problems that I’ve just mentioned, the only really possible solution for avoiding BadPack is to stay away from any questionable Android software sources. Sites that offer cracked games, “useful utilities” or similar less-than-trustworthy stuff are the #1 in this category. Also, be diligent about what permissions you give to the app. With all the described tricks, malware still tries to run as a regular app and retrieve corresponding permissions. So seeing a weather forecast app asking you to allow sending SMS or accessing your phone book should be a huge red flag.
