The new “SoumniBot” banking malware for Android takes a different tack than most obfuscation attacks by using loopholes in the Android manifest parsing and extraction process.

This technique allows SoumniBot to take information from Android phones while avoiding the usual security checks.

Researchers from Kaspersky found and studied the virus. They also revealed technical details on how the malware exploits the Android procedure to extract APK manifests. 

Read also: Unleashing the power of Samsung Galaxy S23 FE 5G

How SoumniBot Malware tricks Android’s parser

Each app’s root directory contains a manifest file called “AndroidManifest.xml.” This file contains information about the app’s components, including services, broadcast receivers, content providers, permissions, and data.

Malicious APKs might employ several techniques to circumvent analysis and security programmes, but according to Kaspersky, SoumniBot employs three distinct approaches that manipulate the size and compression of the manifest file to evade parser tests.

To start, the Android ‘libziparchive’ library is responsible for unpacking APKs, but SoumniBot uses a compression value that isn’t valid. This value doesn’t match the normal values (0 or 8).

The Android APK parser has a quirk that lets it ignore specific values as undesirable data so the APK can continue to run on the device despite security checks.

The second approach is to provide an inflated value for the manifest file size in the APK, which is not the actual size.

The file is copied straight from the archive with unnecessary “overlay” data to make up the difference since it was tagged as uncompressed in the previous phase.

According to Kaspersky, this additional data is essential for perplexing code analysis tools, but it doesn’t hurt the device itself because Android is configured to disregard it.

Thirdly, to circumvent automated analysis tools that are too small to handle them, you can use extremely long strings as XML namespace names in the manifest file.

Kaspersky has notified Google that the official analysis tool for Android, APK Analyzer, cannot process files that use the methods above of evasion.

Additionally, BleepingComputer has reached out to Google for comment. We will provide an update here whenever we receive a response. 

The SoumniBot Malware as a threat

Right after it starts up, SoumniBot sends the infected device’s profile information (number, carrier, etc.) and asks for its configuration settings from a hardcoded server address.

The next step is to launch a malicious service that compromises the victim’s data every 15 seconds and restarts every 16 minutes if not stopped.

The stolen information includes digital certificates for online banking, images, videos, IP addresses, contact lists, account information, and SMS messages.

Read also: Thepeer, Nigerian startup Shuts down operations

An MQTT server orchestrates the data exfiltration process by sending commands to the malware. Not only do these commands make it easier to extract sensitive information, but they also allow the compromised device to execute various operations. The ability to edit contacts, including removing or adding them, is one of the many responsibilities mandated by these regulations. You can even instruct the malware to send SMS messages, which will forward conversations how you want. Additionally, it provides access to the device’s audio settings, so you may change the volume of your ringtone and toggle silent mode on and off as you like. In addition, malware can change the device’s debug mode, allowing the attacker to turn this feature on or off based on their goals. This complex command structure highlights the malware’s versatility and ability to manipulate devices and steal data.

It is unknown how SoumniBot gets onto devices, but it may be anything from spreading through unofficial Android stores and rogue websites to infiltrating trustworthy app repositories and upgrading genuine programmes with malicious code.

Like other malicious Android apps, SoumniBot hides its icon after installation to make removal more difficult; it targets Korean users. Nonetheless, it continues to upload victim data while running in the background.

Kaspersky provides a brief collection of compromise indications, including malware hashes and two domains used for command and control operations.