Threat actors are increasingly disseminating malicious Android APKs (packaged software installations) that use unsupported, unidentified, or drastically modified compression methods to thwart decompilation. The key benefit of this strategy is that it can avoid detection by static analysis security tools and hinder researcher study, delaying the creation of a comprehensive grasp of how an Android malware strain operates.
Following a Joe Security tweet showcasing an APK that avoids analysis yet functions flawlessly on Android devices, Zimperium, a member of the “App Defense Alliance” committed to locating and removing malware from Google Play, examined the decompilation resistance environment. Two variations of the ZIP format are used by Android APKs: one without compression and the other with the DEFLATE algorithm.