SoumniBot Mobile Malware Targets Android Devices
A newly discovered Android trojan named SoumniBot has been identified in the field targeting users in South Korea by exploiting vulnerabilities in the procedure for extracting and parsing manifests.
According to researchers, the malware is distinguished by an unusual tactic to avoid analysis and detection, specifically by obfuscating the Android manifest.
SoumniBot Comes With Three Different Attack Approaches
Each Android application includes a manifest XML file ("AndroidManifest.xml") in its root directory, which outlines the app's components, permissions, and required hardware and software features.
Recognizing that threat hunters typically initiate their analysis by examining the app's manifest file to understand its behavior, the threat actors behind the malware have employed three different methods to complicate this process.
The first method involves utilizing an invalid Compression method value during the unpacking of the APK's manifest file, exploiting the libziparchive library's interpretation that any value other than 0x0000 or 0x0008 is uncompressed.
Although a manifest like this would be considered invalid by any unpacker correctly implementing compression method validation, the Android APK parser recognizes it as valid and allows the application to be installed.
It's noteworthy that this method has been utilized by threat actors linked to several Android banking trojans since April 2023.
Secondly, SoumniBot falsifies the archived manifest file size, providing a value higher than the actual size. Consequently, the "uncompressed" file is directly copied, with the manifest parser disregarding the additional "overlay" data that occupies the remaining space.
According to researchers, any stricter manifest parsers wouldn't be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors.
The final technique involves using lengthy XML namespace names in the manifest file, complicating the allocation of sufficient memory by analysis tools to process them. However, since the manifest parser is programmed to ignore namespaces, no errors occur during file handling.
Once launched, SoumniBot fetches its configuration information from a predefined server address to access the servers used for transmitting collected data and receiving commands via the MQTT messaging protocol.
SoumniBot Establishes Malicious Service on Infected Devices
The malware is programmed to initiate a malicious service that restarts every 16 minutes if terminated, and it uploads information every 15 seconds, including device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
Additionally, SoumniBot can manipulate contacts, send SMS messages, toggle silent mode, and enable Android's debug mode, as well as conceal its app icon to hinder uninstallation from the device.
A notable feature of SoumniBot is its capability to search external storage media for .key and .der files containing paths to "/NPKI/yessign," which pertains to South Korea's digital signature certificate service for governmental entities (GPKI), banks, and online stock exchanges (NPKI).
