New Android Trojan ‘SoumniBot’ Evades Detection with Clever Tricks

Teilen:

A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure.

The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.

Every Android app comes with a manifest XML file (“AndroidManifest.xml”) that’s located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.

Knowing that threat hunters typically commence their analysis by inspecting the app’s manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging.

The first method involves the use of an invalid Compression method value when unpacking the APK’s manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.

“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin explained.

“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed.”

It’s worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.

Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the “uncompressed” file is directly copied, with the manifest parser ignoring the rest of the “overlay” data that takes up the rest of the available space.

“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin said.

The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.

SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.

It’s designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.

The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android’s debug mode, not to mention hiding the app icon to make it harder to uninstall from the devic

One noteworthy feature of SoumniBot is its ability to search the external storage media for .key and .der files containing paths to “/NPKI/yessign,” which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks, and online stock exchanges (NPKI).

“These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions,” Kalinin said. “This technique is quite uncommon for Android banking malware.”

Earlier this year, cybersecurity company S2W revealed details of a malware campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based information stealer called Troll Stealer to siphon GPKI certificates from Windows systems.

“Malware creators seek to maximize the number of devices they infect without being noticed,” Kalinin concluded. “This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.”

When reached for comment, Google told The Hacker News that it found no apps containing SoumniBot on the Google Play Store for Android.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” it added.

Ravie Lakshmanan

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
6:20 am, März 15, 2025
Wetter-Symbol 1°C
L: 0° | H: 3°
broken clouds
Luftfeuchtigkeit: 90 %
Druck: 1021 mb
Wind: 5 mph NNW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 75%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 6:14 am
Sonnenuntergang: 6:04 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
0° | 3°°C 0 mm 0% 12 mph 84 % 1024 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
1° | 8°°C 0 mm 0% 9 mph 82 % 1027 mb 0 mm/h
Mo. März 17 9:00 pm
Wetter-Symbol
3° | 10°°C 0 mm 0% 11 mph 89 % 1028 mb 0 mm/h
Di. März 18 9:00 pm
Wetter-Symbol
4° | 10°°C 0 mm 0% 11 mph 87 % 1024 mb 0 mm/h
Mi. März 19 9:00 pm
Wetter-Symbol
6° | 15°°C 0 mm 0% 7 mph 89 % 1020 mb 0 mm/h
Today 9:00 am
Wetter-Symbol
2° | 4°°C 0 mm 0% 9 mph 84 % 1021 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
5° | 7°°C 0 mm 0% 11 mph 58 % 1022 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
8° | 8°°C 0 mm 0% 12 mph 39 % 1021 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
6° | 6°°C 0 mm 0% 10 mph 54 % 1023 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
3° | 3°°C 0 mm 0% 9 mph 66 % 1024 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 8 mph 70 % 1025 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
1° | 1°°C 0 mm 0% 6 mph 71 % 1024 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
1° | 1°°C 0 mm 0% 6 mph 81 % 1025 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€77,159.47
2.82%
Ethereum(ETH)
€1,765.14
1.94%
Fesseln(USDT)
€0.92
0.02%
XRP(XRP)
€2.23
6.24%
Solana(SOL)
€122.39
7.20%
USDC(USDC)
€0.92
0.00%
Dogecoin(DOGE)
€0.158884
3.05%
Shiba Inu(SHIB)
€0.000012
3.02%
Pepe(PEPE)
€0.000006
1.59%
Peanut das Eichhörnchen(PNUT)
€0.188950
20.47%
Nach oben scrollen