SoumniBot is a new Android malware that targets South Korean users by taking advantage of flaws in the manifest extraction and parsing process. It has been discovered in the wild.
Researchers at Kaspersky have identified the virus as “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” according to a technical investigation.
A manifest XML file called “AndroidManifest.xml” is included with every Android app. It is placed in the root directory and lists all of the programme’s components, permissions, and necessary hardware and software.
The threat actors behind the virus have been found to use three distinct strategies to thwart analysis, knowing that threat hunters usually start their investigation by looking at the app’s manifest file to ascertain its behaviour.
Using the libziparchive library to unpack the APK’s manifest file, the first method uses an incorrect Compression method value, treating any value other than 0x0000 or 0x0008 as uncompressed.
“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin stated.
“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognises it correctly and allows the application to be installed.”
It’s important to note that since April 2023, threat actors connected to multiple Android banking trojans have been using this technique.
Second, SoumniBot provides an inflated value for the size of the archived manifest file; this causes the “uncompressed” file to be transferred immediately, with the manifest parser disregarding the remaining “overlay” data that occupies the remaining space.
“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin stated.
Using large XML namespace names in the manifest file makes it harder for analysis tools to allocate adequate RAM to process them. This is the final technique. Having said that, no issues are encountered when parsing the file because the manifest parser is made to disregard namespaces.
After being launched, SoumniBot uses the MQTT messaging protocol to request its configuration information from a hard-coded server address. This information is used to determine which servers are used to convey the collected data and receive commands.
It is intended to establish a malicious service that uploads the data every 15 seconds and restarts every 16 minutes if it stops for any reason. This consists of contact lists, SMS messages, images, videos, installed apps, and device metadata.
In addition, the malware can send SMS messages, add and remove contacts, switch between silent and debug modes on Android devices, and hide app icons to make them harder to remove from the device.
SoumniBot’s capacity to scan external storage media for.key and.der files containing paths to “/NPKI/yessign,” a reference to the South Korean government’s digital signature certificate service (GPKI), banks, and online stock exchanges (NPKI), is one of its standout features.
“These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions,” said Kalinin. “This technique is quite uncommon for Android banking malware.”
The Kimusuky organisation, which has ties to North Korea, carried out a malware operation earlier this year that used a Golang-based information stealer named Troll Stealer to steal GPKI certificates from Windows PCs. Details of this effort were made public by cybersecurity company S2W.
“Malware creators seek to maximise the number of devices they infect without being noticed,” Kalinin said. This encourages them to seek out novel approaches to make detection more difficult. Unfortunately, the lack of sufficiently stringent validations in the Android manifest parser code allowed the SoumniBot developers to succeed.”