The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Konfety Android Malware

Jul 28, 2025 3:08:29 PM / by The Hivemind

KONFETYVerticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: Campaigns abusing the CaramelAds SDK

Executive Summary

Konfety, a longstanding mobile malware, has resurfaced with enhanced evasion capabilities, including dynamic code loading and multi-layered obfuscation, to facilitate ad fraud while evading detection on Android devices. This evolution underscores the persistent challenge of concealed malicious logic in mobile applications, demanding advanced scrutiny from security teams.

Key Takeaways

  • Konfety employs runtime decryption of encrypted assets to load secondary DEX files, hiding critical components from initial scans.  
  • The malware maintains ties to prior ad fraud campaigns via the CaramelAds SDK, featuring consistent indicators like User Agreement popups and specific regex patterns.  
  • Inconsistencies in AndroidManifest.xml, such as undeclared components in primary code, serve as key detection signals for analysts.  
  • Its focus on silent ad rendering and payload sideloading poses risks of financial and privacy impacts without user awareness.  

What is Konfety?

The resurgence of Konfety demonstrates how established mobile threats adapt to modern detection landscapes through sophisticated evasion strategies. This Android malware, previously associated with ad fraud via the CaramelAds SDK, now integrates dynamic code loading to obscure its operations. At runtime, it decrypts and injects a secondary Dalvik Executable (DEX) file from an encrypted asset within the APK, effectively concealing app components that are declared in the AndroidManifest.xml but absent from the primary codebase. This technique not only complicates static analysis but also delays the revelation of malicious functionality until after installation. Zimperium recently reported on Konfety. 

Analysts examining Konfety samples will note multi-layered obfuscation that builds on earlier variants. For instance, the malware retains hallmarks such as a User Agreement popup and the regular expression pattern "@injseq," which align with historical patterns. These elements suggest a deliberate continuity in design, aimed at perpetuating large-scale ad fraud. Once activated, the loaded code enables silent communication with remote servers, ad fetching and rendering in the background, and potential sideloading of additional payloads. Such behaviors exploit the trust users place in seemingly benign applications, leading to unauthorized data exfiltration and resource consumption.

From a technical standpoint, Konfety's evasion hinges on runtime injection, where the primary DEX handles initial setup before delegating to the hidden secondary file. This separation ensures that superficial scans overlook the bulk of the threat. This malware highlights the need for comprehensive mobile threat intelligence, integrating behavioral analysis with static inspections to counter adaptive adversaries. As mobile ecosystems expand, threats like Konfety remind security practitioners of the importance of proactive defenses, including regular app vetting and endpoint protection solutions tailored for Android environments. PolySwarm analysts consider Konfety to be an evolving threat. 

IOCs

PolySwarm has multiple samples of Konfety.

 

ca4ee1b33f69a2239efb4568fa0f2da9ee1b11145d12a539bb5db2ce61881023

7f8a1ae757dcce8fc869f5f50f79d12b24c6316b5498ce5117d62ebffc8c4178

30bc2c475d09f9e41f11bcdc9089b077cfc4982f9d411e62f53ca5d732424541

e61a5f23526315c249997feaa08fbf86c42e584cfd19ab070ce23e9e2ffa0023

362d15f5f98e5ac2fbfb1333b57e6fe08cd98b2703e18341d51424f4e749fd7a

4d81aeb12c20131f7581ed9c00f1fdd8edb4e82ffe762959e0e32832ddf9ab7c

0bc62ee202ec3022da280dfec839e4dec0800bb421ed482a657abf7aaf6f9c10

2d26502ff7a99c0df781ea7830fbafef621ff5c592a0803e63784f9b3d85d4ce

30d8a0fc34697966f80ca9652e98781612006efc09df93f42b92c8f0d3979056

3b6cdd4d708c3c79c7c2adbb2394293797a2c9cace8f724a14ed1dfa49d4a025

6dc9d8c1cf11138eccea44e3662b044879f9721c22d6e3a90a1fdb76e674260e

7f645f7794a3039ed57e68a2a4dccd9825de054cfa3aece8e58694183cfcdf7d

9f0778d5d3625321547d561e8c485f21ca606754e6c107685b97b3800336f3ee

eadcb8d177ef3fe5de6d0999d4f854485f79f832593c375491361b6a3e23d595

160a924a804c5f390358a17dcd45031a5785ae013990a9185d57a164d3836845

45ccf69ad2b86b46d749998438aa090c50f0e3b12b74d109c02e3de70152f2ab

602972dfa5321381c4b40e35fe3f8b1ac66e7759c9c4a76efdffdbe0eaa1bca3

6097ac05da6c79d06f8ced22edf611ad551fbad7a00410f14fa4831cc9ccf2ea

6504fc4739d220dc98f3596a424479ce066ea5eed409f3bc2cf0ea08584e6dc1

73763f6106f8c0e928fe302d5764926832cc3afabe016c35b9c9fd99656d5191

8449156b632a3d7839c632377197728430e4dea8c7fa9a02648d13f9fa33bb8b

94c01ed008c8b83f1d9fc247b18ec36c05356b449a1d3d7940b0a737f3a61d22

a8c6a7a08e836ffad32b706182aa081849688fbdc023841c36a0920d62dd1fd4

b8348f6a2b81216a7c4603c70dddcfbd95ed9a8a2119cb8547782ce115e85759

 

You can use the following CLI command to search for all Konfety samples in our portal:

$ polyswarm link list -f Konfety

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Evolving Threat, Konfety malware, Android evasion techniques, ad fraud operations, secondary DEX files, runtime injection, mobile security analysis, hidden APK components, mobile threat evolution, dynamic code loading, malware obfuscation

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More