How to detect and remove SoumniBot Malware on Android

How to detect and remove SoumniBot Malware on Android

The new “SoumniBot” banking malware for Android takes a different tack than most obfuscation attacks by using loopholes in the Android manifest parsing and extraction process.

This technique allows SoumniBot to take information from Android phones while avoiding the usual security checks.

Researchers from Kaspersky found and studied the virus. They also revealed technical details on how the malware exploits the Android procedure to extract APK manifests. 

Read also: Unleashing the power of Samsung Galaxy S23 FE 5G

How SoumniBot Malware tricks Android’s parser

Each app’s root directory contains a manifest file called “AndroidManifest.xml.” This file contains information about the app’s components, including services, broadcast receivers, content providers, permissions, and data.

Malicious APKs might employ several techniques to circumvent analysis and security programmes, but according to Kaspersky, SoumniBot employs three distinct approaches that manipulate the size and compression of the manifest file to evade parser tests.

To start, the Android ‘libziparchive’ library is responsible for unpacking APKs, but SoumniBot uses a compression value that isn’t valid. This value doesn’t match the normal values (0 or 8).

The Android APK parser has a quirk that lets it ignore specific values as undesirable data so the APK can continue to run on the device despite security checks.

The second approach is to provide an inflated value for the manifest file size in the APK, which is not the actual size.

The file is copied straight from the archive with unnecessary “overlay” data to make up the difference since it was tagged as uncompressed in the previous phase.

According to Kaspersky, this additional data is essential for perplexing code analysis tools, but it doesn’t hurt the device itself because Android is configured to disregard it.

Thirdly, to circumvent automated analysis tools that are too small to handle them, you can use extremely long strings as XML namespace names in the manifest file.

Kaspersky has notified Google that the official analysis tool for Android, APK Analyzer, cannot process files that use the methods above of evasion.

Additionally, BleepingComputer has reached out to Google for comment. We will provide an update here whenever we receive a response. 

The SoumniBot Malware as a threat

Right after it starts up, SoumniBot sends the infected device’s profile information (number, carrier, etc.) and asks for its configuration settings from a hardcoded server address.

The next step is to launch a malicious service that compromises the victim’s data every 15 seconds and restarts every 16 minutes if not stopped.

The stolen information includes digital certificates for online banking, images, videos, IP addresses, contact lists, account information, and SMS messages.

Read also: Thepeer, Nigerian startup Shuts down operations

An MQTT server orchestrates the data exfiltration process by sending commands to the malware. Not only do these commands make it easier to extract sensitive information, but they also allow the compromised device to execute various operations. The ability to edit contacts, including removing or adding them, is one of the many responsibilities mandated by these regulations. You can even instruct the malware to send SMS messages, which will forward conversations how you want. Additionally, it provides access to the device’s audio settings, so you may change the volume of your ringtone and toggle silent mode on and off as you like. In addition, malware can change the device’s debug mode, allowing the attacker to turn this feature on or off based on their goals. This complex command structure highlights the malware’s versatility and ability to manipulate devices and steal data.

It is unknown how SoumniBot gets onto devices, but it may be anything from spreading through unofficial Android stores and rogue websites to infiltrating trustworthy app repositories and upgrading genuine programmes with malicious code.

Like other malicious Android apps, SoumniBot hides its icon after installation to make removal more difficult; it targets Korean users. Nonetheless, it continues to upload victim data while running in the background.

Kaspersky provides a brief collection of compromise indications, including malware hashes and two domains used for command and control operations. 

Olanrewaju Adeniyi

With a bachelor's degree in agricultural extension and rural development from Ladoke Akintola University of Technology, Olanrewaju Adeniyi works as a studio manager and presenter. He guarantees effectiveness, originality, and brilliance with a flair for solo presentations, client communication, and studio management. He is a lifelong learner who keeps up with the newest technological developments. Olanrewaju is a tremendous asset in fostering success in the fast-paced corporate environment of today thanks to his broad range of talents and innovative thinking.

Next Post

Meta's AI now available in Nigeria, Ghana, others in Africa

Sat Apr 20 , 2024
       Meta has stated that its AI service will now be available in seven countries in Sub-Saharan Africa, including Nigeria and […]
Meta's AI now available in Nigeria, Ghana, others in Africa

Related Posts

Quick Links

techpression.com
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.