New Android Malware Hides in Fake Apps and Floods You With Ads

A newly evolved version of the Konfety Android malware is spreading through third-party app stores, using advanced evasion techniques to slip past security defenses and trick users into installing it. Disguised as legitimate apps, this malware bombards users with ads, redirects them to shady websites, and harvests device data — all while hiding in plain sight.

Lookalike Apps Target Users on Unofficial App Stores

Konfety doesn’t come through the official Google Play Store. Instead, attackers are using what experts call an “evil twin” strategy — copying the name and branding of real apps and pushing them through unofficial marketplaces. These lookalike apps carry the same package name as the real thing, making it harder to spot the fake.

Once installed, Konfety hides its icon and name, avoiding detection from users. It also adapts its behavior depending on where the user is located, thanks to a tactic known as geofencing. This allows the malware to change its activity depending on the victim’s region.

Hiding in Plain Sight: How Konfety Evades Detection

What makes this variant of Konfety especially dangerous is its use of tampered APK files. APKs are Android app installation files, and Konfety manipulates them to crash or confuse analysis tools that researchers use to inspect apps. This includes using unsupported compression types and fake encryption flags to trigger errors or false password requests.

Android itself remains unaffected by these tricks — it simply ignores the suspicious settings and installs the app normally. Behind the scenes, the malware uses an encrypted payload hidden inside the app. This isn’t active during scans and only unlocks once the app is running, revealing hidden capabilities like ad fraud, unwanted downloads, and data collection.

Redirects, Spam, and Data Collection

Once active, Konfety connects to attacker-controlled servers, opening browsers in the background and redirecting users through a series of suspicious websites. These sites attempt to trick users into accepting push notifications or downloading more malicious apps. Once permission is granted, users may be flooded with persistent pop-ups and fake system alerts.

Konfety also collects information from the device — such as installed apps, network configuration, and basic system details. This data can be used to tailor future attacks or sell to other cybercriminals. The use of dynamic code loading and hidden files makes this malware difficult to detect and remove.

Fig 1. Examples of unwanted pop-ups and websites. Source: Zimperium

To avoid falling victim to malware like Konfety, users should be extremely cautious about downloading apps from third-party stores. These sources often lack the security checks that Google Play provides. If an app promises premium features for free or mimics the name of a popular app, it’s a red flag.

Konfety is a reminder that Android users must stay vigilant. Stick to official app stores, keep your device updated, and consider using mobile security tools like Certo AntiSpy that can detect hidden threats. As cybercriminals become more sophisticated, these basic precautions are more important than ever.