Adrian Johnson
TLDR:
- Hackers are using BadPack APK packer to hide malware file structure
- This technique makes it difficult for security programs to detect and analyze malware
In a recent report, cybersecurity analysts at Plaoalto Networks’s Unit42 have identified hackers utilizing the BadPack APK packer to hide the malware file structure within Android applications. This technique is causing challenges for security programs in detecting and analyzing malware, increasing the likelihood of successful breaches while keeping the malware hidden on compromised devices.
BadPack APK files, tweaked with their ZIP headers, are a developing threat to cybersecurity. These files are challenging to analyze using reverse engineering tools, and banking Trojans often employ them. The advanced WildFire found around 9200 BadPack samples between June 2023 and June 2024, highlighting the need for better understanding and detection techniques for this type of malware.
The BadPack malware authors deliberately change header fields in APK files, creating mismatches between local and central directory headers. This manipulation makes it difficult to analyze or extract APK contents and allows malicious apps to run on Android devices. Existing analysis tools like Apktool and Jadx struggle to extract files tampered with by BadPack, emphasizing the need for advanced analysis techniques and tools moving forward.
To combat this threat, users are advised to avoid installing apps from untrusted or third-party sources and decline applications that request unusual permissions. Understanding and reversing the manipulations made by BadPack malware is crucial for successfully analyzing samples and protecting against potential breaches.
