Zimperium has announced the discovery of a new, highly evasive variant of the Konfety malware targeting Android devices.

Identified by Zimperium’s zLabs team, this latest version leverages advanced obfuscation and ZIP-level evasion techniques, which reportedly makes it significantly more difficult to detect and analyse than previous iterations.

The company has reported that the Konfety malware campaign uses a deceptive dual-app strategy – leveraging the same package name for both a benign Play Store app and a malicious version distributed via third-party sources – to trick users and bypass traditional detection methods.

It reportedly further evades analysis by tampering with the APK’s structure, including declaring unsupported compression formats and manipulating ZIP headers to confuse security tools.

Konfety malwar: Outsmarting analysts

Nico Chiaraviglio, Chief Scientist, Zimperium commented: “This isn’t just a recycled threat – it’s a deeply engineered update designed to outsmart analysts and evade automated tools.

“The threat actors are actively modifying their tactics to stay ahead and Konfety is a prime example of how mobile malware is evolving.”

Among the most alarming tactics:

• Dynamic code loading: Malicious code is decrypted and executed only at runtime, hidden from traditional scans
• Fake app behavior: The malware suppresses its icon, mimics legitimate app metadata and redirects users through ad fraud infrastructure
• ZIP-level obfuscation: Techniques cause common analysis tools to crash or misinterpret the APK as password-protected or malformed

Zimperium‘s analysis confirmed Konfety leverages the CaramelAds SDK to silently deliver payloads, push persistent spam-like browser notifications, and facilitate fraud.

The campaign is said to use region-specific behaviours, geofencing European users away from suspicious sites while targeting others more aggressively.

Konfety, reportedly, manipulates Android’s APK ZIP structure in a way that causes popular reverse engineering tools to crash entirely – demonstrating a new level of sophistication in mobile malware evasion.