'BadPack' APK Files Make Android Malware Hard to Detect

"BadPack," a set of maliciously packaged APK files that make it difficult for researchers to analyze and detect malware within Android applications, has come to light. It's a key reason why they believe the prevalence of Android banking Trojans and other malware such as TeaBot have surged in recent years, and continue to plague users of these devices.

BadPack files contain maliciously altered header information in a compressed file format for APK files, "and typically pose a challenge for Android reverse-engineering tools," Palo Alto Networks Unit 42's Lee Wei Yeong revealed in a report published on July 16.

In the last year, Unit 42's telemetry detected almost 9,200 BadPack samples in Android apps, including on Google Play; Google, however, says it has eliminated them from the mobile app store.

BadPack could be a reason that security analysis of Android malware historically has been so difficult. "APK files using BadPack reflect the increasing sophistication of APK malware samples," Yeong wrote. "This not only presents a formidable challenge for security analysts, but it also underscores the need for continuous development of innovative techniques and tools to identify and mitigate these threats."

APK files are applications used by the Android OS that use the ZIP archive format and contain a file named AndroidManifest.xml that stores data and instructions for the archive's content.

In a BadPack APK file, however, attackers have tampered with its ZIP header data in a way that attempts to prevent analysis of its content. Unit 42 researchers found that "many" Android banking Trojans — among them TeaBot (aka Anatsa), BianLian, and Cerberus — use BadPack, which have helped them infect Android devices with malware without being detected.

How BadPack Prevents Malware Detection

AndroidManifest.xml provides essential information about a mobile app to the Android OS, including components to handle both activities initiated by the user and services run by the application. The manifest also includes the permissions users grant to apps so they run correctly, as well as the versions of Android that the app runs on.

That said, the first step in static analysis of an APK sample is to read and process this manifest file, which is why it behooves malware authors to tamper with the file to make it difficult for security analysts to prevent this from happening.

BadPack does this by tampering with the structure headers of the ZIP file, making the APK fail to extract and decode AndroidManifest.xml. "This causes a chain reaction of errors downstream in the static analysis pipeline," Yeong wrote. "As a result, the file cannot be read and fully processed."

There are a variety of ways that malware authors can manipulate these header values to fool common static analysis tools like Apktool or Jadx that are used to detect malware. These tools are "generally stricter than the Android system runtime on Android devices," Yeong wrote.

"For these analysis tools, an APK sample must adhere to ZIP file format specifications," he wrote. "Therefore, Apktool and Jadx parse both the local file header and central directory file header of the ZIP structure headers in an APK file."

Android devices are not as strict about the official file format as these analysis tools, however, so an APK file may contain invalid values that do not fully adhere to the official file format specification, and it may still run.

"This is because the Android system runtime only inspects the central directory file header," Yeong wrote. "If a value from the local file header does not match, the Android runtime assumes what a correct value should actually be."

This is the difference in behavior that causes tools like Apktool and Jadx to fail to analyze a BadPack APK sample that installs and runs properly without issue on an Android device, and thus allows Trojans and other malware that leverages BadPack to successfully infect a device, he said.

BadPack Detection & Prevention

Unit 42 has found a way to analyze BadPack APK samples by reversing changes made to the header to restore the original ZIP structure header values before using APK analysis tools. The researchers also discovered that an open source tool called APK Inspector, released last December, can successfully extract APK content and decode the Android manifest file even when BadPack is present, providing defenders a way to detect the malware.

Other ways that Android users can prevent themselves from stealthy malware is to be suspicious of Android applications requiring unusual permissions not aligned with their advertised functionality, Yeong recommended. For example, it should be a red flag if something like an Android flashlight app requests permissions to access the device's phonebook, he noted.

"We recommend that people also refrain from installing applications that originate from third-party sources onto their devices," Yeong added.