SoumniBot Mobile Malware

A previously unknown Android Trojan dubbed SoumniBot has emerged and is actively targeting users in South Korea. It exploits vulnerabilities within the manifest extraction and parsing process. What sets this malware apart is its unique strategy to avoid detection and analysis, primarily through obfuscation of the Android manifest file.

Each Android application is accompanied by a manifest XML file named "AndroidManifest.xml," situated in the root directory. This file outlines the application's components, permissions, and necessary hardware and software features.

Understanding that threat hunters commonly initiate their analysis by examining the application's manifest file to ascertain its functionality, the malicious actors responsible for the malware have been observed utilizing three distinct techniques to complicate this process significantly.

The SoumniBot Mobile Malware Takes Novel Measures to Avoid Detection

The initial approach involves manipulating the Compression method value during the unpacking of the APK's manifest file using the libziparchive library. This method exploits the library's behavior, which considers any value other than 0x0000 or 0x0008 as uncompressed, allowing developers to insert any value except 8 and write uncompressed data.

Despite being deemed invalid by unpackers with proper compression method validation, the Android APK parser correctly interprets such manifests, permitting the installation of the application. Notably, this technique has been adopted by threat actors associated with various Android banking Trojans since April 2023.

Secondly, SoumniBot fabricates the archived manifest file size, presenting a value exceeding the actual size. Consequently, the 'uncompressed' file is directly copied, with the manifest parser disregarding the surplus 'overlay' data. While stricter manifest parsers would fail to interpret such files, the Android parser handles the flawed manifest without encountering errors.

The final tactic involves employing lengthy XML namespace names within the manifest file, complicating the allocation of sufficient memory for analysis tools to process them. However, the manifest parser is designed to disregard namespaces, hence processing the file without raising any errors.

SoumniBot Targets Sensitive Data on Breached Android Devices

After being activated, SoumniBot retrieves its configuration data from a pre-set server address to acquire the servers utilized for transmitting collected data and receiving commands through the MQTT messaging protocol.

It's programmed to activate an unsafe service that restarts every 16 minutes in case of termination, ensuring continuous operation while uploading information every 15 seconds. This data encompasses device metadata, contact lists, SMS messages, photos, videos and a roster of installed applications.

Additionally, the malware possesses functionalities, such as adding and removing contacts, dispatching SMS messages, toggling silent mode and activating Android's debug mode. Furthermore, it can conceal its application icon, enhancing its resistance to uninstallation from the device.

A notable attribute of SoumniBot is its capability to scan external storage media for .key and .der files containing paths leading to '/NPKI/yessign,' which corresponds to the digital signature certificate service provided by South Korea for governmental (GPKI), banking and online stock exchange (NPKI) purposes.

These files represent digital certificates issued by Korean banks to their customers, utilized for logging into online banking platforms or verifying banking transactions. This technique is relatively uncommon among Android banking malware.