Since 2017, the Financial Security Institute has been tracking and responding to Voice phishing, which is a type of financial fraud, impersonating financial institutes to mislead victims to install malicious apps which steal device information and results in actual financial loss via social engineering. Malicious apps are always involved in this crime process, while a new anti-analysis method based on the ZIP file format was observed in a sample collected in the wild at mid-August.
The anti-analysis app installs and runs normally without errors in real machines or emulators, but gives an error when static analysis tools try to analyze it. This sample was intended to hinder analysis, so we are to share the process and result of the root cause analysis.