Beware of “BadPack”: Android Malware Disguised with Tricky Headers
In recent years, cybercriminals have increasingly exploited malicious applications for Android. One of the recent significant threats, according to researchers from Palo Alto Networks, is a new form of malware known as BadPack.
The malware is an APK file, specifically packed with altered headers, which complicates its analysis and detection. This method is also actively used in banking trojans such as BianLian, Cerberus, and TeaBot.
APK files are application packages for Android, utilizing the ZIP format. The primary file within these packages is AndroidManifest.xml, which contains crucial information about the application. In the case of BadPack, this file has altered headers, hindering its extraction and analysis.
7-Zip failed to unpack the BadPack-bundled APK sample
The ZIP format includes two main types of headers: local file headers and central directory file headers. Malefactors can modify fields in these headers to prevent the extraction of the APK file’s contents.
Examples of alterations in BadPack include:
- Indicating the correct compression method but with an incorrect compressed file size.
- Indicating an incorrect compression method when the actual method is STORE.
- Indicating the compression method only in the local header when the actual method is DEFLATE.
Tools such as 7-Zip, Apktool, Jadx, and others cannot correctly unpack or analyze BadPack due to the altered headers. However, the recently released public tool apkInspector can extract and decode AndroidManifest.xml even from such files.
Palo Alto specialists reported their findings to Google. According to the company, there are no applications with this virus in the official Google Play store. Android users are protected by Google Play Protect, which blocks known malicious applications, even if they are downloaded from third-party sources.
BadPack presents a serious threat to Android users and complicates the work of cybersecurity analysts. To safeguard against such threats, it is recommended to use reliable security tools and avoid installing applications from untrusted sources.
