Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,231
- Points
- 113
Cybercriminals have invented a new way to cheat antivirus programs.
In recent years, cybercriminals have increasingly used malicious Android apps. One of the recent key threats, according to researchers from Palo Alto Networks, is a new form of the BadPack virus.
The malware is an APK file specially packaged with modified headers, which makes it difficult to analyze and identify it. This method is also actively used in banking Trojans such as BianLian, Cerberus, and TeaBot.
APKs are Android app packages that use the ZIP format. The main file in these packages is AndroidManifest.xml, which contains important information about the app. In the case of BadPack, this file has modified headers, which prevents it from being extracted and analyzed.
The ZIP format includes two main types of headers: local file headers and central directory file headers. Attackers can change the fields in these headers to prevent the contents of the APK file from being extracted.
Examples of changes in BadPack:
Tools such as 7-Zip, Apktool, Jadx, and others cannot correctly decompress or analyze BadPack due to modified headers. However, the recently released public tool APKInspector is able to extract and decode AndroidManifest.xml even from such files.
Palo Alto specialists reported their findings to Google. According to the company, there are no apps with this virus in the official Google Play store. Android users are protected by Google Play Protect, which blocks known malicious apps even if they are downloaded from third-party sources.
BadPack poses a serious threat to Android users and complicates the work of cybersecurity analysts. To protect yourself, we recommend using strong security tools and avoiding installing applications from untrusted sources.
Source
In recent years, cybercriminals have increasingly used malicious Android apps. One of the recent key threats, according to researchers from Palo Alto Networks, is a new form of the BadPack virus.
The malware is an APK file specially packaged with modified headers, which makes it difficult to analyze and identify it. This method is also actively used in banking Trojans such as BianLian, Cerberus, and TeaBot.
APKs are Android app packages that use the ZIP format. The main file in these packages is AndroidManifest.xml, which contains important information about the app. In the case of BadPack, this file has modified headers, which prevents it from being extracted and analyzed.
The ZIP format includes two main types of headers: local file headers and central directory file headers. Attackers can change the fields in these headers to prevent the contents of the APK file from being extracted.
Examples of changes in BadPack:
- Specifies the correct compression method, but with an incorrect compressed file size.
- Specifying an invalid compression method when the actual method is STORE.
- Specify the compression method only in the local header when the actual method is DEFLATE.
Tools such as 7-Zip, Apktool, Jadx, and others cannot correctly decompress or analyze BadPack due to modified headers. However, the recently released public tool APKInspector is able to extract and decode AndroidManifest.xml even from such files.
Palo Alto specialists reported their findings to Google. According to the company, there are no apps with this virus in the official Google Play store. Android users are protected by Google Play Protect, which blocks known malicious apps even if they are downloaded from third-party sources.
BadPack poses a serious threat to Android users and complicates the work of cybersecurity analysts. To protect yourself, we recommend using strong security tools and avoiding installing applications from untrusted sources.
Source
