Banking Trojan Targets Korean Users by Manipulating Android Manifest
A sophisticated new Android malware, dubbed SoumniBot, is making waves for its ingenious obfuscation techniques that exploit vulnerabilities in how Android apps interpret the crucial Android manifest file. Unlike typical malware droppers, SoumniBot’s stealthy approach allows it to camouflage its malicious intent and evade detection.
Exploiting Android Manifest Weaknesses
According to researchers at Kaspersky, SoumniBot’s evasion strategy revolves around manipulating the Android manifest, a core component within every Android application package. The malware developers have identified and exploited vulnerabilities in the manifest extraction and parsing procedure, enabling them to obscure the true nature of the malware.
SoumniBot employs several techniques to obfuscate its presence and thwart analysis, including:
- Invalid Compression Method Value: By manipulating the compression method value within the AndroidManifest.xml entry, SoumniBot tricks the parser into recognizing data as uncompressed, allowing the malware to evade detection during installation.
- Invalid Manifest Size: SoumniBot manipulates the size declaration of the AndroidManifest.xml entry, causing overlay within the unpacked manifest. This tactic enables the malware to bypass strict parsers without triggering errors.
- Long Namespace Names: Utilizing excessively long namespace strings within the manifest, SoumniBot renders the file unreadable for both humans and programs. The Android OS parser disregards these lengthy namespaces, facilitating the malware’s stealthy operation.
SoumniBot’s Malicious Functionality
Upon execution, SoumniBot requests configuration parameters from a hardcoded server, enabling it to function effectively. The malware then initiates a malicious service, conceals its icon to prevent removal, and begins uploading sensitive data from the victim’s device to a designated server.
Researchers have also highlighted SoumniBot’s capability to search for and exfiltrate digital certificates used by Korean banks for online banking services. This feature allows threat actors to exploit banking credentials and conduct fraudulent transactions.
Targeting Korean Banking Credentials
SoumniBot locates relevant files containing digital certificates issued by Korean banks to their clients for authentication and authorization purposes. It copies the directory containing these digital certificates into a ZIP archive, which is then transmitted to the attacker-controlled server.
Furthermore, SoumniBot subscribes to messages from a message queuing telemetry transport server (MQTT), an essential command-and-control infrastructure component. MQTT facilitates lightweight, efficient messaging between devices, helping the malware seamlessly receive commands from remote attackers.
Some of SoumniBot’s malicious commands include:
- Sending information about the infected device, including phone number, carrier, and Trojan version
- Transmitting the victim’s SMS messages, contacts, accounts, photos, videos, and online banking digital certificates
- Deleting contacts on the victim’s device
- Sending a list of installed apps
- Adding new contacts on the device
- Getting ringtone volume levels
With its innovative obfuscation tactics and capability to target Korean banking credentials, SoumniBot poses a significant threat to South Korean Android users.
