Konfety Returns: Classic Mobile Threat with New Evasion Techniques
Severity: mediumType: malware
A sophisticated variant of the Android malware Konfety has been identified, employing advanced evasion techniques. The malware uses dual-app deception, ZIP-level evasion, dynamic code loading, and stealth techniques to conduct ad fraud and redirect users to malicious websites. It tampers with the APK's ZIP structure to bypass security checks and complicate reverse engineering. The malware loads encrypted assets at runtime, concealing critical functionality. It mimics legitimate apps, hides its icon, and uses geofencing to adjust behavior by region. The threat actors behind Konfety are highly adaptable, consistently updating their methods to evade detection and target various ad networks.
Indicators of Compromise
- hash: 00945892d2c890153a2a81ef285b342f
- hash: 2540c17d6e5b09e52ac242214cad0dd0
- hash: 27d6ab57886b5cddd0a90e34a29f24a8
- hash: 2ab79081761aa8d832c15c7f02c267c4
- hash: 481ad2ee4c1694fafa3953067066db6a
- hash: 5198e584dd2a8a0c8b211cd38296b5fd
- hash: 54a5995985269dfc9cbbe7bda8adf8c7
- hash: 58dc17b962b5998c3fa1efc4f0b5a0c2
- hash: 59c9519bffb8f2be7303ecd4e48adb41
- hash: 5fea973402191177a5a0d62823e8f798
- hash: 71d2f9d222f90754261ad491947c049a
- hash: 7b99ec732d1d5184b6475bc0095d3f5d
- hash: a2875066bc239d0eb1d6a4aaa04aa250
- hash: aaea0df58d6c2ff5124847297584f134
- hash: ab20375bdd8ab546f1eaf1181ee36ec6
- hash: af111828c1e6680d99f7489b981e1036
- hash: dde5f1abaec3514bcf7f54e5888dd65e
- hash: e9c87daf4d1d41f46f9776c18340ad36
- hash: ea88ea0b1429e9a6ef3939df40a1efca
- hash: fbde5673da3a79655f562bfc306ae422
- hash: 2772e93e76f00a3a21344fc74459aeb496ffaf43
- hash: 38d3a1f588f4cf309ea67e4e2797269be7cce5f2
- hash: 4308fe6fb14959bcdad5ed504251cde58bf551ee
- hash: 5a87cb01c572589163fe5f03827b122cf253aa96
- hash: 706ab9f13cb33e2d8478ea439ef61fe2a00a7b9c
- hash: 78daf6fe05b9dc295ecf596190848c55166baf30
- hash: 8772a66c21e662acff18c07e454d443f65b770fe
- hash: 9b2714b8c5bc195275980cec5be4907dceb0e8ff
- hash: 9f85ad70e46262ca37fc36b9dfbf1d6845bf41f3
- hash: a5e22a25b649f846b2b7cee4c7ccf6fba8142242
- hash: ab6909227820dbd62bf7ca0f100b90b8883a0301
- hash: c353f4927ae38539869062207ab83636b4e2ddbc
- hash: cde18cef2ca2e58a3de6764681f50770e6809f93
- hash: d6db6ff1feef3247d8ce98100d72069ce38f3a8d
- hash: da3d4e9374b95714bfc51a16d247aa8d2934f76d
- hash: da5af103fec02a8bc4f40cfe6e5eb41bbb298204
- hash: e3ab8f6f554b707472f500cdd1192620e962c65a
- hash: ee2fa12a7b75193f3bb7d68ed2efd6e0e24ff977
- hash: f92fb5bdf653daf14424598f8ea3535c06b1a9ef
- hash: fe81ca3806a637f27801f09ebbe6805b8d2168cc
- hash: 0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10
- hash: 160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845
- hash: 2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce
- hash: 30bc2c475d09f9e41f11bcdc9089b077cfc4982f9d411e62f53ca5d732424541
- hash: 30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056
- hash: 362d15f5f98e5ac2fbfb1333b57e6fe08cd98b2703e18341d51424f4e749fd7a
- hash: 3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025
- hash: 45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab
- hash: 4d81aeb12c20131f7581ed9c00f1fdd8edb4e82ffe762959e0e32832ddf9ab7c
- hash: 602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3
- hash: 6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea
- hash: 6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1
- hash: 6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e
- hash: 73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191
- hash: 7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d
- hash: 7f8a1ae757dcce8fc869f5f50f79d12b24c6316b5498ce5117d62ebffc8c4178
- hash: 8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b
- hash: 94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22
- hash: 9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee
- hash: a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4
- hash: b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759
- hash: ca4ee1b33f69a2239efb4568fa0f2da9ee1b11145d12a539bb5db2ce61881023
- hash: d554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c
- hash: e61a5f23526315c249997feaa08fbf86c42e584cfd19ab070ce23e9e2ffa0023
- hash: eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595
- hash: ec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017
Konfety Returns: Classic Mobile Threat with New Evasion Techniques
Medium
Malwareandroidcaramelads sdkkonfetyad fraud infrastructuret1546t1036.005t1581t1027t1083t1063t1016t1082t1102.001
Published: Wed Jul 16 2025 (07/16/2025, 08:00:31 UTC)
Source: AlienVault OTX General
Description
A sophisticated variant of the Android malware Konfety has been identified, employing advanced evasion techniques. The malware uses dual-app deception, ZIP-level evasion, dynamic code loading, and stealth techniques to conduct ad fraud and redirect users to malicious websites. It tampers with the APK's ZIP structure to bypass security checks and complicate reverse engineering. The malware loads encrypted assets at runtime, concealing critical functionality. It mimics legitimate apps, hides its icon, and uses geofencing to adjust behavior by region. The threat actors behind Konfety are highly adaptable, consistently updating their methods to evade detection and target various ad networks.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://github.com/Zimperium/IOC/blob/master/2025-07-Konfety/apks.csv"]
- Adversary
- null
- Pulse Id
- 68775c1f3243d970b75d786c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash00945892d2c890153a2a81ef285b342f | MD5 of b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759 | |
hash2540c17d6e5b09e52ac242214cad0dd0 | MD5 of 2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce | |
hash27d6ab57886b5cddd0a90e34a29f24a8 | MD5 of eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595 | |
hash2ab79081761aa8d832c15c7f02c267c4 | MD5 of 160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845 | |
hash481ad2ee4c1694fafa3953067066db6a | MD5 of ec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017 | |
hash5198e584dd2a8a0c8b211cd38296b5fd | MD5 of 30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056 | |
hash54a5995985269dfc9cbbe7bda8adf8c7 | MD5 of 602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3 | |
hash58dc17b962b5998c3fa1efc4f0b5a0c2 | MD5 of 73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191 | |
hash59c9519bffb8f2be7303ecd4e48adb41 | MD5 of 6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e | |
hash5fea973402191177a5a0d62823e8f798 | MD5 of 0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10 | |
hash71d2f9d222f90754261ad491947c049a | MD5 of 6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea | |
hash7b99ec732d1d5184b6475bc0095d3f5d | MD5 of 7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d | |
hasha2875066bc239d0eb1d6a4aaa04aa250 | MD5 of 94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22 | |
hashaaea0df58d6c2ff5124847297584f134 | MD5 of 6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1 | |
hashab20375bdd8ab546f1eaf1181ee36ec6 | MD5 of a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4 | |
hashaf111828c1e6680d99f7489b981e1036 | MD5 of 9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee | |
hashdde5f1abaec3514bcf7f54e5888dd65e | MD5 of 8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b | |
hashe9c87daf4d1d41f46f9776c18340ad36 | MD5 of d554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c | |
hashea88ea0b1429e9a6ef3939df40a1efca | MD5 of 45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab | |
hashfbde5673da3a79655f562bfc306ae422 | MD5 of 3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025 | |
hash2772e93e76f00a3a21344fc74459aeb496ffaf43 | SHA1 of 7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d | |
hash38d3a1f588f4cf309ea67e4e2797269be7cce5f2 | SHA1 of 6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea | |
hash4308fe6fb14959bcdad5ed504251cde58bf551ee | SHA1 of 94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22 | |
hash5a87cb01c572589163fe5f03827b122cf253aa96 | SHA1 of d554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c | |
hash706ab9f13cb33e2d8478ea439ef61fe2a00a7b9c | SHA1 of 30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056 | |
hash78daf6fe05b9dc295ecf596190848c55166baf30 | SHA1 of 0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10 | |
hash8772a66c21e662acff18c07e454d443f65b770fe | SHA1 of 160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845 | |
hash9b2714b8c5bc195275980cec5be4907dceb0e8ff | SHA1 of 6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1 | |
hash9f85ad70e46262ca37fc36b9dfbf1d6845bf41f3 | SHA1 of 45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab | |
hasha5e22a25b649f846b2b7cee4c7ccf6fba8142242 | SHA1 of a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4 | |
hashab6909227820dbd62bf7ca0f100b90b8883a0301 | SHA1 of ec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017 | |
hashc353f4927ae38539869062207ab83636b4e2ddbc | SHA1 of 9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee | |
hashcde18cef2ca2e58a3de6764681f50770e6809f93 | SHA1 of 8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b | |
hashd6db6ff1feef3247d8ce98100d72069ce38f3a8d | SHA1 of b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759 | |
hashda3d4e9374b95714bfc51a16d247aa8d2934f76d | SHA1 of 73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191 | |
hashda5af103fec02a8bc4f40cfe6e5eb41bbb298204 | SHA1 of 6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e | |
hashe3ab8f6f554b707472f500cdd1192620e962c65a | SHA1 of eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595 | |
hashee2fa12a7b75193f3bb7d68ed2efd6e0e24ff977 | SHA1 of 3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025 | |
hashf92fb5bdf653daf14424598f8ea3535c06b1a9ef | SHA1 of 602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3 | |
hashfe81ca3806a637f27801f09ebbe6805b8d2168cc | SHA1 of 2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce | |
hash0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10 | — | |
hash160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845 | — | |
hash2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce | — | |
hash30bc2c475d09f9e41f11bcdc9089b077cfc4982f9d411e62f53ca5d732424541 | — | |
hash30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056 | — | |
hash362d15f5f98e5ac2fbfb1333b57e6fe08cd98b2703e18341d51424f4e749fd7a | — | |
hash3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025 | — | |
hash45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab | — | |
hash4d81aeb12c20131f7581ed9c00f1fdd8edb4e82ffe762959e0e32832ddf9ab7c | — | |
hash602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3 | — | |
hash6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea | — | |
hash6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1 | — | |
hash6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e | — | |
hash73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191 | — | |
hash7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d | — | |
hash7f8a1ae757dcce8fc869f5f50f79d12b24c6316b5498ce5117d62ebffc8c4178 | — | |
hash8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b | — | |
hash94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22 | — | |
hash9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee | — | |
hasha8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4 | — | |
hashb8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759 | — | |
hashca4ee1b33f69a2239efb4568fa0f2da9ee1b11145d12a539bb5db2ce61881023 | — | |
hashd554ec3737d2ce09ab44366b210a0a3ce73af687b0a55047d899913c5932a14c | — | |
hashe61a5f23526315c249997feaa08fbf86c42e584cfd19ab070ce23e9e2ffa0023 | — | |
hasheadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595 | — | |
hashec7e1bb518d6d0a42afc78d33856e1b90a92f110a47cfd92ed9ff23a635ba017 | — |
Threat ID: 68775c90a83201eaacd4c60d
Added to database: 7/16/2025, 8:02:24 AM
Last updated: 7/16/2025, 8:02:24 AM
Views: 1
Related Threats
Unmasking AsyncRAT: Navigating the labyrinth of forks
MediumMalwareWed Jul 16 2025
Rainbow Hyena strikes again: new backdoor and shift in tactics
MediumMalwareWed Jul 16 2025
ThreatFox IOCs for 2025-07-15
MediumMalwareWed Jul 16 2025
Fake Telegram Apps Spread via 607 Domains in New Android Malware Attack
MediumMalwareTue Jul 15 2025
Homebrew Malware Campaign
MediumMalwareTue Jul 15 2025
Actions
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.