• Latest
  • Trending
How to detect and remove SoumniBot Malware on Android

How to detect and remove SoumniBot Malware on Android

April 19, 2024
South African investment giant raises caution on Bitcoin ETF risks

South African investment giant raises caution on Bitcoin ETF risks

September 26, 2025
OpenAI’s ChatGPT Pulse now available for Pro users

OpenAI’s ChatGPT Pulse now available for Pro users

September 26, 2025
MSport 2025

MSport 2025: Nigeria’s #1 Sports Betting Site, Powered by Chelsea & BVB

September 25, 2025
MNT-Halan introduces Egypt’s first secure lending solution via Halan App

MNT-Halan introduces Egypt’s first secure lending solution via Halan App

September 25, 2025
Visa, intella partner to boost MENA’s financial institutions with Arabic conversational AI

Visa, intella partner to boost MENA’s financial institutions with Arabic conversational AI

September 25, 2025
Airtel Africa invests in education with 100 scholarships and new tech hubs

Airtel Africa invests in education with 100 scholarships and new tech hubs

September 25, 2025
SINOTRUK enters Libya with Aseel Auto as exclusive distributor in Benghazi

SINOTRUK enters Libya with Aseel Auto as exclusive distributor in Benghazi

September 25, 2025
Tango Brook launches digital card for fuel management

Tango Brook launches digital card for fuel management

September 25, 2025
AI in Nigeria announces 3rd edition of InnovationAI

AI in Nigeria announces 3rd edition of InnovationAI

September 25, 2025
Interswitch Unveils Quickteller Travel to Transform African Travel Experience

Interswitch Unveils Quickteller Travel to Transform African Travel Experience

September 25, 2025
Your one-stop tech hub! Get the latest updates on AI, cybersecurity, fintech, and emerging technologies.
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • Tech TV
    • General News
    • How To
    • Reviews
  • Cryptocurrency
  • Fintech
  • Startups
  • Ai
No Result
View All Result
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • Tech TV
    • General News
    • How To
    • Reviews
  • Cryptocurrency
  • Fintech
  • Startups
  • Ai
No Result
View All Result
Techpression
No Result
View All Result
Home Device

How to detect and remove SoumniBot Malware on Android

Olanrewaju Adeniyi by Olanrewaju Adeniyi
April 19, 2024
149 2
0
How to detect and remove SoumniBot Malware on Android
467
SHARES
Share on FacebookShare on TwitterWhatsAppTelegram

The new “SoumniBot” banking malware for Android takes a different tack than most obfuscation attacks by using loopholes in the Android manifest parsing and extraction process.

This technique allows SoumniBot to take information from Android phones while avoiding the usual security checks.

Researchers from Kaspersky found and studied the virus. They also revealed technical details on how the malware exploits the Android procedure to extract APK manifests. 

Read also: Unleashing the power of Samsung Galaxy S23 FE 5G

RelatedPosts

No Content Available

How SoumniBot Malware tricks Android’s parser

Each app’s root directory contains a manifest file called “AndroidManifest.xml.” This file contains information about the app’s components, including services, broadcast receivers, content providers, permissions, and data.

Malicious APKs might employ several techniques to circumvent analysis and security programmes, but according to Kaspersky, SoumniBot employs three distinct approaches that manipulate the size and compression of the manifest file to evade parser tests.

To start, the Android ‘libziparchive’ library is responsible for unpacking APKs, but SoumniBot uses a compression value that isn’t valid. This value doesn’t match the normal values (0 or 8).

The Android APK parser has a quirk that lets it ignore specific values as undesirable data so the APK can continue to run on the device despite security checks.

The second approach is to provide an inflated value for the manifest file size in the APK, which is not the actual size.

The file is copied straight from the archive with unnecessary “overlay” data to make up the difference since it was tagged as uncompressed in the previous phase.

According to Kaspersky, this additional data is essential for perplexing code analysis tools, but it doesn’t hurt the device itself because Android is configured to disregard it.

Thirdly, to circumvent automated analysis tools that are too small to handle them, you can use extremely long strings as XML namespace names in the manifest file.

Kaspersky has notified Google that the official analysis tool for Android, APK Analyzer, cannot process files that use the methods above of evasion.

Additionally, BleepingComputer has reached out to Google for comment. We will provide an update here whenever we receive a response. 

The SoumniBot Malware as a threat

Right after it starts up, SoumniBot sends the infected device’s profile information (number, carrier, etc.) and asks for its configuration settings from a hardcoded server address.

The next step is to launch a malicious service that compromises the victim’s data every 15 seconds and restarts every 16 minutes if not stopped.

The stolen information includes digital certificates for online banking, images, videos, IP addresses, contact lists, account information, and SMS messages.

Read also: Thepeer, Nigerian startup Shuts down operations

An MQTT server orchestrates the data exfiltration process by sending commands to the malware. Not only do these commands make it easier to extract sensitive information, but they also allow the compromised device to execute various operations. The ability to edit contacts, including removing or adding them, is one of the many responsibilities mandated by these regulations. You can even instruct the malware to send SMS messages, which will forward conversations how you want. Additionally, it provides access to the device’s audio settings, so you may change the volume of your ringtone and toggle silent mode on and off as you like. In addition, malware can change the device’s debug mode, allowing the attacker to turn this feature on or off based on their goals. This complex command structure highlights the malware’s versatility and ability to manipulate devices and steal data.

It is unknown how SoumniBot gets onto devices, but it may be anything from spreading through unofficial Android stores and rogue websites to infiltrating trustworthy app repositories and upgrading genuine programmes with malicious code.

Like other malicious Android apps, SoumniBot hides its icon after installation to make removal more difficult; it targets Korean users. Nonetheless, it continues to upload victim data while running in the background.

Kaspersky provides a brief collection of compromise indications, including malware hashes and two domains used for command and control operations. 

Tags: SoumniBot
Olanrewaju Adeniyi

Olanrewaju Adeniyi

Olanrewaju is a creative media professional focused on tech storytelling and digital content creation. He produces engaging content on tech, AI, software, and innovation. He also trains staff on using AI tools for research, video editing, and productivity.

No Result
View All Result

Quick Links

  • Tech News
  • Cryptocurrency
  • Fintech
  • Startups
  • Business

Follow Us:

  • facebook
  • instagram
  • Twitter(X)
  • Linkedin
  • YouTube
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2025 Techpression.com -Techpression Media Limited

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

We are using cookies to give you the best experience on our website.

You can find out more about which cookies we are using or switch them off in .

No Result
View All Result
  • Home
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • Reviews
    • How To
    • General News
  • Cryptocurrency
  • Business
  • Fintech
  • Startups
  • Featured
  • Ai
  • Tech TV

© 2025 Techpression.com -Techpression Media Limited

techpression.com
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.