SoumniBot, a new Android trojan, exploits manifest extraction and parsing flaws to target South Korean users.

The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” according to Kaspersky researcher Dmitry Kalinin.

Every Android app has a manifest XML file (“AndroidManifest.xml”) in the root directory that identifies its components, permissions, and hardware and software requirements.

New Android Trojan ‘SoumniBot’ Hides with Clever Tricks

Knowing that threat hunters start their study by scanning the app’s manifest file to establish its behavior, the malware’s threat actors use three methods to complicate the procedure.

The first technique uses an incorrect Compression method value to unpack the APK’s manifest file using the libziparchive library, which regards any value other than 0x0000 or 0x0008 as uncompressed

“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin said.

“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed.”

Threat actors behind various Android banking trojans have used the tactic since April 2023.

Second, SoumniBot misrepresents the archived manifest file size, offering a value that surpasses the actual figure, prompting the manifest parser to copy the “uncompressed” file and ignore the “overlay” data that takes up the remaining space.

“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” he stated.

Finally, using long XML namespace names in the manifest file makes it hard for analytic tools to allocate adequate RAM to process them. However, the manifest parser ignores namespaces, therefore no issues are raised when handling the file.

Once launched, SoumniBot requests its configuration information from a hard-coded server address to find the MQTT servers used to send and receive data and commands.

It activates a malicious service that uploads data every 15 seconds and resets every 16 minutes if it crashes. Device metadata, contact lists, SMS messages, photographs, videos, and installed apps are included.

The malware can also create and delete contacts, send SMS messages, toggle silent mode, enable Android’s debug mode, and hide the app icon to make uninstalling harder.

SoumniBot can scan external storage media for.key and.der files with paths to “/NPKI/yessign,” South Korea’s digital signature certificate service for governments (GPKI), banks, and online stock exchanges.

“These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions,” he said. “This technique is quite uncommon for Android banking malware.”

Cybersecurity company S2W disclosed that the North Korea-linked Kimusuky organization used Troll Stealer, a Golang-based information stealer, to steal Windows GPKI certificates earlier this year.

“Malware creators seek to maximize the number of devices they infect without being noticed,” Kalinin said. “They seek innovative techniques to complicate detection. Insufficient Android manifest parser code validations allowed SoumniBot’s creators to succeed.”

SOURCE