BadPack is a malicious APK file intentionally altered to exploit the Android operating system’s file structure.
Typically, attackers maliciously modify the header information in the compressed file format of APKs to hinder reverse engineering efforts. These tampered headers are a hallmark of BadPack, posing significant challenges for Android reverse engineering tools. This technique is commonly used by Android-based banking Trojans like BianLian, Cerberus, and TeaBot.
These findings were reported to Google by Palo Alto Networks, who confirmed that no apps containing this malware are currently found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on devices with Google Play Services. Google Play Protect can warn users or block apps exhibiting malicious behavior, even if these apps come from sources outside of Google Play.
How Does BadPack Malware Work?
APK files, essential for Android applications, use the ZIP archive format and contain a critical file named AndroidManifest.xml. This file stores data and instructions vital for the application’s operation. In BadPack APKs, attackers tamper with the ZIP header data, making it difficult for tools like Apktool and Jadx to extract and analyze the content. For instance, Apktool often fails to extract AndroidManifest.xml from BadPack samples.
Palo Alto Networks’ Advanced WildFire detection telemetry from June 2023 to June 2024 identified nearly 9,200 BadPack samples, indicating a significant threat. Figure 1 illustrates the monthly trends of these detections, with a notable increase in May 2024.
Understanding the Android Manifest File
The Android Manifest file, AndroidManifest.xml, is a crucial configuration file in APK samples, providing essential information about the mobile application to the Android OS. This includes details about activities, services, permissions, and compatible Android versions. Extracting and processing this file is the first step in static analysis of an APK sample. Malware authors often tamper with the ZIP headers to obstruct security analysts from performing this analysis.
ZIP File Structure
The ZIP format compresses and archives content into a single file, comprising two main types of headers: Local File Headers and Central Directory File Headers. Malware authors can alter fields within these headers to prevent analysts from extracting an APK file’s content, while still allowing the APK to run on an Android device.
Local File Headers
Local file headers represent individual files in a ZIP archive. The archive starts with a local file header, repeated for each file. These headers begin with a 4-byte signature (PK, for Phillip Katz, the ZIP format creator). The compression field, located at byte offsets 0x08 and 0x09, indicates the compression method, commonly DEFLATE (0x0800). The header also includes fields for compressed and uncompressed sizes and filenames.
Central Directory File Headers
Central directory file headers appear after the last local file header in a ZIP archive directory. They summarize the contents of the archive and may include an optional APK Signing Block. These headers also contain fields for compression method, sizes, and filenames, located at different byte offsets than in local file headers.
Analyzing the BadPack Technique
In BadPack samples, attackers manipulate ZIP structure headers, preventing APK extraction and AndroidManifest.xml decoding, causing static analysis tools to fail. This manipulation can include mismatched values between the local and central directory file headers. For instance, specifying an incorrect compression method or invalid sizes.
While analysis tools like Apktool and Jadx require strict adherence to ZIP format specifications, Android runtime on devices is more lenient, only inspecting the central directory header. Thus, BadPack APKs can run on Android devices but fail analysis tools. By reversing these changes and restoring original ZIP structure header values, analysts can successfully analyze BadPack samples.
Conclusion
The increasing number of Android devices presents a growing target and a significant challenge in combating malware attacks on the platform. APK files using BadPack reflect the rising sophistication of APK malware samples, posing formidable challenges for security analysts.
Users should be wary of Android applications that request unusual permissions not aligned with their advertised functionality, such as a flashlight app requesting access to the device’s phonebook. Also, it is advisable to refrain from installing applications from third-party sources to maintain device security.
If you suspect a compromise or have an urgent matter, contact the Unit 42 Incident Response team for assistance.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: