Let’s take a look at what makes this threat so clever and why your phone might be more vulnerable than you think.
HUMAN discovered that the Konfety group operates out of Russia and poses as an ad network company behind the CaramelAds SDK. At its peak, this operation generated 10 billion fraudulent claims daily, making it one of the most prolific ad fraud schemes ever documented. What sets Konfety apart from traditional malware is its systematic approach to legitimacy: the group created and uploaded more than 250 Android apps to the Google Play Store as legitimate fronts, creating an entire ecosystem of fake credibility that enables its sophisticated evasion techniques.
The “Evil Twin” plan that is fooling everyone
So how does Konfety work its magic? The answer lies in what security researchers call the “evil twin” method, and it’s devilishly simple but technically sophisticated.
The setup works like this: Threat actors create apps that look legitimate and get approval on the Google Play Store. These “twin decoy” apps actually work as advertised and pass all security checks. Meanwhile, they distribute malicious versions of the same apps through malvertising, click bait, or unauthorized downloads outside the official store.
Both versions use the same package name and app ID, but here’s the cool part: the evil twins spoof IDs of legitimate advertising publishers to trick ad networks into believing that the fraudulent traffic is coming from the clean versions of the Play Store. Satori researchers identified over 250 apps on Google Play with the abused CaramelAds SDK, each with a corresponding evil twin, creating a massive parallel infrastructure of legitimacy and fraud.
The scale of this operation is staggering. Malicious versions hijack your screen to display full-screen, out-of-context ads every few minutes while you use other apps, but the technical sophistication goes far beyond simple ad injection. The CaramelAds SDK infrastructure operates the same servers for both decoy apps and rogue twin apps, allowing threat actors to easily scale their operations while maintaining the illusion of legitimate ad network activity.
Now this is where Konfety gets really nasty. The latest variants do not rely solely on social engineering: they use sophisticated technical tricks that systematically damage their analysis tools by methodically exploiting the file format’s underlying vulnerabilities.
The main technique involves malformed APK files which block most security scanning tools and at the same time install perfectly on Android devices. Zimperium researchers found more than 3,000 Android malware samples that used unsupported compression methods, with 71 malicious samples that Android can still load correctly despite the malformed structure.
Here’s the technical breakdown of how this manipulation works at the ZIP level: Konfety manipulates the APK’s ZIP structure by using unsupported compression methods like BZIP and enabling fake encryption flags in general-purpose headers. This creates a multi-layered evasion strategy: analysis tools like APKTool and JADX interpret these malformed headers as corrupt files and fail completely, while Android silently re-treats files as simply stored when it encounters unsupported compression methods.
The brilliance lies in exploiting the difference between security tools and Android running behavior. Security scanning tools follow strict ZIP format specifications and fail when they encounter malformed headers, but Android’s fault-tolerant design prioritizes functionality over format compliance. This creates a perfect blind spot where malware can hide in plain sight.
But the technical sophistication doesn’t end there. The malware also employs dynamic code loading, where critical functionality is hidden in encrypted assets and only decrypted at runtime. This means that standard APK scanning completely misses malicious behavior, as the most dangerous code never appears in the initial file structure examined by security tools.
The vulnerability that Google can’t seem to fix
Let’s talk about the elephant in the room: Google Play Protect. You know, that security feature that’s supposed to scan 125 billion apps every day and keep malware off your device?
Well, spoiler alert: it doesn’t work as advertised, and Konfety exposes exactly why traditional signature-based detection is fundamentally flawed. Research shows that average antivirus apps detect malware more accurately and faster than Play Protect’s combined on-device and cloud scans. Worse yet, more than 200 malicious apps on Google Play were downloaded millions of times between June 2023 and April 2024, with a cumulative total of almost 8 million downloads.
Here’s what’s particularly worrying about Konfety’s approach: the decoy apps on Google Play aren’t technically malicious themselves. They pass all automated security checks because they really work as advertised. Google Play Protect compares app hashes to known malware signatures, but these legitimate fronts have clean signatures by design.
The real threat comes from the evil twin versions distributed outside the store, which systematically exploit the trust established by their Play Store counterparts. Konfety’s specific techniques point to Play Protect’s hash-based detection approach: since malicious versions use the same package names and publisher IDs as legitimate apps, they can impersonate trusted apps while performing fraud. This creates a fundamental problem: the current detection paradigm cannot distinguish between legitimate applications and malicious twins that share identical identifying characteristics.
What happens when sophisticated evasion meets adaptive criminals?
The truly scary part about Konfety isn’t just its current capabilities: it’s how the operation demonstrates a new paradigm of adaptive, infrastructure-based malware campaigns that evolve faster than detection methods can keep up.
The latest evolution includes multiple sophisticated layers working together.:
- Geofence capabilities that adjust behavior based on the victim’s location, making regional analysis difficult
- Anti-emulation detection which prevents analysis in virtual environments used by security researchers
- Dynamic payload fetch via the CaramelAds SDK infrastructure that can deliver new malicious code on demand
- Hiding icons to prevent easy uninstallation once installed, using restricted Android techniques to disappear from launchers
Security researchers note that the threat actors behind Konfety are highly adaptable, constantly altering their targeted ad networks and updating methods to evade detection. The campaign peaked at 10 billion daily requests before security researchers shut it down, but actors quickly switched to new advertising platforms and updated their technical methods.
This represents an ongoing arms race in which traditional security measures are always one step behind. The combination of legitimate app store presence, sophisticated technical evasion, and rapid adaptation creates a threat model that challenges fundamental assumptions about mobile security. The scheme affected multiple entities across the advertising ecosystem, including legitimate ad networks, and could unknowingly impact developers using the CaramelAds SDK, demonstrating how modern malware operations can weaponize entire legitimate ecosystems.
Here’s what all this means for you: The traditional advice of “download it from Google Play and you’re safe” is officially obsolete and we need a fundamental change in the way we address mobile security threats.
Konfety demonstrates that sophisticated threat actors can systematically fool existing security systems by using legitimate app store presence as cover for malicious activity conducted elsewhere. The implications extend far beyond ad fraud: this represents a new class of security threats that exploit the intersection of legitimate infrastructure, technical evasion, and adaptive criminal operations.
Researchers found that malware countermeasures often create a trade-off between security and user experience, and mobile developers are reluctant to implement solutions that degrade usability. This creates persistent vulnerabilities that adaptive malware like Konfety can systematically exploit through technical sophistication rather than simple social engineering.
The broader trend is clear: several malware families have evaded Play Protect checks in recent years, suggesting that signature-based detection is becoming obsolete in the face of technically sophisticated threats. The combination of ZIP-level manipulation, dynamic code loading, and infrastructure-based evasion creates attack vectors that traditional security tools simply cannot address.
Your best defense requires a new mindset– Be skeptical of app permissions regardless of their origin, understand that apps that appear legitimate may have malicious twins, and recognize that mobile security now requires the same level of vigilance that we apply to desktop. The Android security landscape has become exponentially more complicated and the old rules no longer apply in a world where criminals can weaponize legitimate app stores and breach security tools through technical manipulation.
The arms race between malware authors and security tools has entered a new phase, in which criminals are winning by systematically exploiting fundamental security assumptions. It is time for us all to start paying attention to this new reality.