New Android Malware “BadPack” Evades Security Analysis, Researchers Warn

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have identified a novel Android malware variant dubbed “BadPack,” which utilizes a sophisticated evasion technique to bypass traditional security analysis tools. Tampered headers, a hallmark of BadPack, pose significant challenges for Android reverse engineering tools. Known to be used in banking Trojans like BianLian, Cerberus, and TeaBot, BadPack exemplifies the increasing sophistication of malware targeting Android devices.

APK files, the backbone of Android applications, utilize the ZIP archive format and contain the crucial AndroidManifest.xml file. This manifest stores essential data and instructions for the application’s operation. In BadPack APKs, attackers manipulate the ZIP header data to hinder the extraction and analysis of this file, thwarting traditional malware analysis tools like Apktool and Jadx.

BadPack’s strategy involves tampering with the ZIP structure headers, making it difficult for tools to extract and decode the AndroidManifest.xml file. This interference leads to a cascade of errors in the analysis process, ultimately preventing the malware from being fully understood and countered.

Malware authors employ various methods to manipulate ZIP headers:

1. Invalid Compressed Size with STORE Method: Specifying an incorrect compressed size while using the STORE method.
2. Incorrect Compression Method Value: Using a non-DEFLATE compression method value when the payload is STORE.
3. Mismatch in Local File Header: Setting a compression method value only in the local file header while the actual payload is DEFLATE.

These tactics exploit the stricter adherence to ZIP specifications by analysis tools compared to the more lenient Android runtime system.

The BadPack technique’s impact on various tools is evident:

• 7-Zip: Fails to extract AndroidManifest.xml due to “Headers Error.”
• Apktool and Jadx: Encounter errors with nonstandard compression methods, indicating the APK sample’s manipulation.
• JAR and Unzip Tools: Struggle with unsupported compression methods, further highlighting the challenge in extracting the tampered APK files.

Among the tools tested, apkInspector proved capable of extracting and decoding the AndroidManifest.xml file from BadPack APK samples. This open-source tool, released in December 2023, offers detailed insights into the ZIP structure and demonstrates resilience against tampered compression methods.

The proliferation of Android devices has amplified the threat landscape, making it imperative to develop innovative techniques and tools to combat sophisticated malware like BadPack. Users must remain vigilant, especially regarding apps requesting unusual permissions, and avoid installing software from unverified third-party sources.