In recent years, cybercriminals are increasingly using malicious android applications. One of the recent key threats is a new form of virus called Badpack according to researchers from Palo Alto Networks.
Badpack is an APK file specially packed with changed headlines, complicating its analysis and identification. This method is also actively used in banking Trojans, such as Bianlian, Cerberus, and Teabot.
APK files are packages of Android applications using ZIP format. The main file in these packages is Androidmanifest.xml, which contains important information about the application. In the case of Badpack, this file has changed headlines, which interferes with its extraction and analysis.
The ZIP format includes two main types of headings: headers of local files and headlines of the central catalog files. Attackers can change the fields in these headlines to prevent extraction of the contents of the APK file.
Examples of changes in Badpack include:
- indicating the correct compression method, but with the wrong size of the compressed file.
- An indication of the incorrect compression method when the actual method is Store.
- Indication of the compression method only in a local title when the actual method is Deflate.
Tools such as 7-ZIP, APKTOOL, JADX, and others cannot correctly unpack or analyze Badpack due to the changed headlines. However, the recently released publicly accessible tool apkinSpector is able to extract and decode Androidmanifest.xml even from such files.
Palo Alto experts reported their findings to Google. According to Google, the official Google Play store has no applications with this virus. Android users are protected by Google Play Protect, which warns or blocks known malware, even if they are downloaded from third-party sources.
Badpack poses a serious threat to Android users and complicates the work of cybersecurity analysts. For protection, it is recommended to use reliable security tools and avoid installing applications from unreliable sources.