BadPack Malware Sneaks Past Android Security With Manipulation Tricks

BadPack malware tricks Android devices by tampering with file headers, making it difficult for security tools to detect its malicious intent.

By Marco Rizal - Editor, Journalist 4 Min Read
Share this post?
Share this post?

BadPack malware tricks Android devices by tampering with file headers, making it difficult for security tools to detect its malicious intent.

There is growing concern over a recently discovered Android malware called BadPack, which has the ability to cleverly avoid detection and analysis.

Researchers at Palo Alto Networks discovered the method by which this malware alters APK file structures to elude security measures.

BadPack is able to disguise itself as a legitimate Android application by hiding in APK files, which are commonly used for installing apps on Android devices.

One reason why BadPack is especially concerning is its ability to manipulate ZIP file headers within APK files.

These headers provide important information that security tools rely on to analyze the contents of the file. BadPack's tampering techniques pose a significant challenge for tools attempting to detect and analyze the malware.

Apktool and Jadx are indispensable tools for cybersecurity experts to analyze and inspect Android apps.

These tools enable experts to easily understand the app's functionality and detect any potentially harmful actions.

Unfortunately, the altered headers used by BadPack can cause these tools to fail in extracting important files, such as the AndroidManifest.xml. This file contains vital information about the app.

The malware can still function on Android devices due to the Android system's tolerance for ZIP file inconsistencies, which is greater than that of security analysis tools.

BadPack malware on Google Play Store?

Palo Alto has shared their findings with Google to enhance the overall security of Android. Luckily, Google's detection systems make sure that no apps with BadPack malware are found on Google Play.

Google Play Protect is automatically enabled on Android devices with Google Play Services, providing an added layer of protection. This feature has the ability to alert users or restrict apps that display questionable be

At the heart of BadPack's evasion technique is its manipulation of ZIP file headers, which are an integral part of the APK file structure. ZIP files contain two types of headers: Local File Headers and Central Directory File Headers.

The headers contain information about the files in the archive. BadPack modifies these headers in a way that causes inconsistencies, which can make it challenging for analysis tools to accurately extract and interpret the file's contents.havior, even if these apps are obtained from sources other than the official Play Store.

For example, the malware could indicate the correct compression method, but it would give an incorrect compressed size. Analysis tools often struggle with this inconsistency, leading to failures.

However, the Android system is able to run the app by simply inspecting the central directory header.

Knowing the difference in how the Android system and analysis tools handle these headers reveals how BadPack can effectively bypass security measures.

It is evident from the detection of almost 9,200 samples within a year that attackers are continuously improving their techniques to bypass security measures.

Leave a comment