Banker SoumniBot Evades Detection Through Android Manifest Obfuscation

Experts from Kaspersky Lab have revealed a new Android banking Trojan named SoumniBot targeting Korean users. This malware stands out for its unconventional approach to evading analysis and detection.

SoumniBot utilizes flaws in Android manifests for obfuscation. Manifest files (AndroidManifest.xml) contain information about declared components, permissions, and other application data. They help the OS extract information about various entry points in the program. By exploring how Android processes manifests, SoumniBot developers discovered interesting opportunities for APK obfuscation.

Analysts found that SoumniBot employs three different methods, including manipulating compression and file size within the manifest to evade checks.

In the first method, SoumniBot exploits the manifest extraction mechanism from the archive by manipulating the Compression method field value incorrectly.

If the APK encounters any Compression method value other than 0x0008 (DEFLATED) during manifest unpacking, the file is considered uncompressed. This allows app developers to specify any Compression method value other than 8 while storing data uncompressed. Such a manifest is invalid for most unpackers with a correct compression method check, but the Android framework’s APK parser recognizes it, allowing the installation.

In the second method, threat actors intentionally distort the manifest file size in the APK, providing a value exceeding the actual size. This manipulation affects the header of AndroidManifest.xml in the ZIP archive. If the file is stored uncompressed, it will be copied without changes, even if the size is inaccurately specified.

Moreover, any overlay in the manifest parser is ignored. SoumniBot leverages this by creating a manifest file where the specified size exceeds the real size, adding an overlay with part of the archive’s content to the unpacked manifest. While stricter manifest parsers cannot read such a file, the Android manifest parser processes it without errors.

In the third method, SoumniBot uses very long strings as namespace names in XML, complicating automated analysis tools that may lack memory for processing. Manifests with such strings become unreadable for both humans and programs. The OS’s manifest parser completely ignores namespaces, processing the incorrect manifest error-free.

Researchers notified Google about the inability of the APK Analyzer to handle files utilizing these techniques.

When run on a victim’s device, SoumniBot requests configuration parameters from a hardcoded server address, hides its icon for removal complexity, and periodically uploads victim data to the operators’ server in the background. This includes IP address, country, contact lists, SMS and MMS messages, and a victim ID generated using the trustdevice-android library. Additionally, the Trojan subscribes to receive messages from an MQTT server, executing commands.

Researchers highlight command number 0, which searches for .key and .der files in the device’s external storage with the path /NPKI/yessign. If found, the directory containing these files is zipped and sent to the command server. These files are digital certificates from Korean bank clients, used for online banking access or transaction confirmation. This technique, rare in Android banking malware, allows threat actors to empty victims’ wallets without their knowledge, bypassing various banking authentication methods.

The exact infiltration methods of SoumniBot on user devices remain unknown but could vary from distribution through third-party Android stores and fraudulent sites to updates with malicious code in legitimate apps.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment