A new Android trojan, SoumniBot, has been discovered targeting users in South Korea by exploiting vulnerabilities in the manifest extraction and parsing procedure. This malware is notable for its unconventional approach to evading analysis and detection, particularly through obfuscation of the Android manifest.
The Android manifest XML file (“AndroidManifest.xml”) is crucial for every Android app, as it declares the app’s components, permissions, and required hardware and software features. Threat hunters typically start their analysis by inspecting this file to understand the app’s behavior. SoumniBot employs three techniques to make this process more challenging.
Firstly, the malware uses an invalid Compression method value when unpacking the APK’s manifest file, tricking the parser into recognizing the file as uncompressed. Secondly, SoumniBot misrepresents the archived manifest file size, causing the parser to ignore the excess “overlay” data. Lastly, the malware uses long XML namespace names to hinder memory allocation by analysis tools, but the manifest parser is designed to ignore these namespaces.
Once launched, SoumniBot requests its configuration information from a hard-coded server address using the MQTT messaging protocol. It launches a malicious service that restarts every 16 minutes if terminated and uploads information every 15 seconds, including device metadata, contact lists, SMS messages, photos, videos, and installed apps. The malware can also add and delete contacts, send SMS messages, toggle silent mode, enable Android’s debug mode, and hide its app icon to make it harder to uninstall.
A notable feature of SoumniBot is its ability to search external storage media for .key and .der files containing paths to “/NPKI/yessign,” which refers to South Korea’s digital signature certificate service. This technique is uncommon for Android banking malware.
Google Play Protect automatically protects Android users against known versions of this malware. While Google found no apps containing SoumniBot on the Google Play Store, users are advised to remain cautious and only download apps from trusted sources.
To safeguard against SoumniBot and other Android malware, users should only download apps from trusted sources, keep their devices updated with the latest security patches, and use reputable antivirus software. Additionally, enabling Google Play Protect and being cautious of suspicious links and attachments can help mitigate the risk of infection.