Overview
Threat type: Adware/Browser hijacker
Associated domain: Disguised via third‑party app stores (no specific domain)
Detection names: Identified by analysts at zLabs, Zimperium, BleepingComputer
Symptoms of infection:
- App icon disappears post‑install
- Persistent spam browser notifications
- Unwanted redirects to malicious sites
- Installation of additional unwanted apps
- Data exfiltration: installed apps, network and system info
Damage & distribution methods: - Distributed via sideloaded APKs impersonating legitimate apps
- Malformed APK structure (encrypted ZIP flags, BZIP compression) evades detection
- Uses CaramelAds SDK to deliver ads and payloads
Danger level: High (due to covert operations, data exfiltration, persistent spam)
Removal tool: SpyHunter – Download SpyHunter
Threat Summary Table
Feature | Details |
---|---|
Threat type | Adware/Browser hijacker |
Associated domain | None specific – via third‑party APKs |
Detection names | zLabs, Zimperium, BleepingComputer analysis |
Symptoms | Icon hiding, browser notification spam, malicious redirects, extra app installs |
Damage/Distribution | Sideloaded evil‑twin APKs, obfuscation via malformed ZIP structure |
Danger level | High – invasive, hard to detect, privacy risk |
Removal tool | SpyHunter (link above) |
In-Depth Analysis
How I got infected
You may have searched for a free or premium app outside of the Google Play Store. The malicious “Konfety” app—masquerading as a real one—was packaged in an APK that passes initial resume checks. Once installed, it hides its icon, avoiding detection.
What does it do
Konfety:
- Employs malformed ZIP structures (encrypted flag, BZIP compression) to fool security tools
- Loads hidden, encrypted DEX files at runtime with commands declared in AndroidManifest
- Redirects you to malicious websites, bombards with browser spam, and silently installs apps
- Steals data (installed apps, network/system config) via CaramelAds SDK
- Uses geofencing and icon hiding to evade detection in certain regions
Should you be worried for your system?
Yes—definitely. Konfety not only disrupts your experience with intrusive spam but also operates in stealth mode to siphon personal and system information. The use of obfuscation techniques makes it difficult to detect and remove manually. This malware is more than a nuisance—it poses serious privacy and security risks.
Conclusion
Konfety is a highly deceptive Android threat that hides behind legitimate app facades. It silently invades devices, floods users with spam, steals sensitive data, and cleverly avoids detection through advanced obfuscation techniques. If you’ve sideloaded any APK outside official app stores, especially those that vanished after install, it’s crucial to scan your device immediately. Ensure you use SpyHunter for an effective removal and protect your device going forward.