July 17, 2024 at 11:36AM
“BadPack,” a set of maliciously packaged APK files, creates challenges for analysts trying to detect and analyze malware in Android applications. The altered header information in BadPack files hampers reverse-engineering tools and has contributed to the rise of Android banking Trojans. Unit 42 researchers have developed methods to detect and mitigate BadPack threats.
Key Takeaways from the Meeting Notes:
1. “BadPack” refers to a group of maliciously packaged APK files that hinder the analysis and detection of malware within Android applications, making it challenging for security analysts to identify and mitigate these threats.
2. These BadPack files contain altered header information in a compressed file format for APK files, posing a significant obstacle for Android reverse-engineering tools, contributing to the surge of Android banking Trojans and other malware.
3. Unit 42’s telemetry detected almost 9,200 BadPack samples in Android apps over the past year, with Google stating that it has removed them from the Google Play store.
4. Malware authors manipulate the structure headers of the ZIP file to make the APK fail to extract and decode AndroidManifest.xml, thereby causing errors in the static analysis pipeline.
5. Tools such as Apktool and Jadx used for detecting malware are stricter than the Android system runtime on devices, which allows APK files with invalid values to still run on Android devices.
6. Unit 42 has devised a way to analyze BadPack APK samples by reversing header changes and restoring the original ZIP structure header values before using APK analysis tools. Additionally, the open source tool APK Inspector can successfully extract APK content and decode the Android manifest file when BadPack is present, aiding in malware detection.
7. Android users are advised to be suspicious of applications requiring unusual permissions, and to refrain from installing applications from third-party sources onto their devices to prevent the infiltration of stealthy malware.
The awareness of the BadPack threat and the preventive measures recommended by Unit 42 are crucial for both security analysts and Android users in mitigating the risks associated with Android malware leveraging BadPack.