Obfuscated Malicious Applications Using AI to Evade Antivirus Detection and Deploy Harmful Payloads

A new wave of malicious Android applications posing as a popular Korean delivery service has been detected spreading across user devices, leveraging artificial intelligence (AI)-enhanced obfuscation and sophisticated data exfiltration methods.

Security researchers have traced the distribution campaign to a threat actor that continues to refine its tactics to avoid antivirus (AV) detection and maintain persistence using breached legitimate websites as command-and-control (C2) servers.

Sponsored

class="wp-block-heading" id="h-ai-enhanced-proguard-obfuscation-in-apks">AI-Enhanced ProGuard Obfuscation in APKs

Analysis of the malicious application revealed that the attackers used AI-powered obfuscation tools combined with ProGuard to conceal classes, functions, and variables. These names are replaced with meaningless eight-character Korean strings, while resource identifiers remain unchanged.

This method not only frustrates reverse engineering but also evades heuristic-based detection, since the AI component dynamically generates novel string patterns during the build process.

The examined APK connects to legitimate delivery-tracking sites to mimic legitimate activity. Once permissions are granted, it displays a genuine-looking tracking interface with randomly generated waybill numbers, adding credibility to its disguise.

This dual-use design enables the malware to steal data in the background while tricking users into believing they are interacting with an official delivery service.

The app’s static analysis indicated extensive use of obfuscated class structures and runtime-loaded encrypted code sections.

Dynamic analysis confirmed that the malware requests multiple permissions upon launch, including storage access, network control, and SMS read permissions, all of which are critical for harvesting sensitive data.

C2 Infrastructure and Data Exfiltration

In a notable twist, the threat actor secures its C2 communication through infiltrated legitimate websites. These websites, likely compromised without the administrator’s knowledge, serve as data relay points for stolen information.

By abusing genuine Korean domains such as http[:]//dhct[.]co[.]kr/, http[:]//mlsm[.]or[.]kr/, and http[:]//solarbusiness[.]kr/, the malware avoids drawing suspicion from network filtering systems that would typically block newly registered or suspicious addresses.

The malware dynamically retrieves C2 server addresses hidden within blogs hosted on Korean web portals. When the application executes, it parses the blog content to load updated C2 locations, enabling flexible infrastructure changes without modifying the malware itself.

This technique helps maintain connection stability even after parts of the infrastructure are blocked.

Researchers also detected multiple infection samples with distinct hashes, including 46a05b40410e26998b617240c1cc054e and 52cd352cd52189ff202dc2af5c113c81, underscoring the campaign’s ongoing propagation.

Security experts advise users to download apps exclusively from official stores, remain wary of unexpected tracking or delivery notifications, and deploy mobile security solutions capable of detecting AI-based obfuscation techniques.

As cybercriminals increasingly integrate AI to enhance malware evasion, analysts warn that this trend will likely evolve further, requiring continuous adaptation in mobile threat detection systems.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Obfuscated Malicious Applications Using AI to Evade Antivirus Detection and Deploy Harmful Payloads appeared first on Cyber Security News.