• Latest
  • Trending
How to detect and remove SoumniBot Malware on Android

How to detect and remove SoumniBot Malware on Android

April 19, 2024
Call of Duty movie: Paramount, Activision strike deal for live-action adaptation

Call of Duty movie: Paramount, Activision strike deal for live-action adaptation

September 5, 2025
Meta Brings Back Facebook Poke with Emojis and Streaks

Meta Brings Back Facebook Poke with Emojis and Streaks

September 5, 2025
Know why they’re calling: Truecaller launches AI-powered insights

Know why they’re calling: Truecaller launches AI-powered insights

September 5, 2025
Visa harnesses local partnerships to launch Visa Pay in DR Congo

Visa harnesses local partnerships to launch Visa Pay in DR Congo

September 5, 2025
Betika denies recent reports of security breach

Betika denies recent reports of security breach

September 5, 2025
10 things you can actually buy with crypto in Africa

10 things you can actually buy with crypto in Africa

September 5, 2025
CBE seals deal with Botim to enhance remittance services for Ethiopians living in UAE

CBE seals deal with Botim to enhance remittance services for Ethiopians living in UAE

September 5, 2025
Nigeria Senate, SIBAN push for crypto regulation to boost digital economy

Nigeria Senate, SIBAN push for crypto regulation to boost digital economy

September 5, 2025
Mamo Mihretu Resigns as Governor of Ethiopia’s Central Bank

Mamo Mihretu Resigns as Governor of Ethiopia’s Central Bank

September 5, 2025
Paratus Group introduces first private mobile network using LTE and 5G in Namibia

Paratus Group introduces first private mobile network using LTE and 5G in Namibia

September 5, 2025
Your one-stop tech hub! Get the latest updates on AI, cybersecurity, fintech, and emerging technologies.
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • General News
    • How To
    • Reviews
  • Cryptocurrency
  • Fintech
  • Startups
  • Ai
No Result
View All Result
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • General News
    • How To
    • Reviews
  • Cryptocurrency
  • Fintech
  • Startups
  • Ai
No Result
View All Result
Techpression
No Result
View All Result
Home Device

How to detect and remove SoumniBot Malware on Android

Olanrewaju Adeniyi by Olanrewaju Adeniyi
April 19, 2024
149 1
0
How to detect and remove SoumniBot Malware on Android
465
SHARES
Share on FacebookShare on TwitterWhatsAppTelegram

The new “SoumniBot” banking malware for Android takes a different tack than most obfuscation attacks by using loopholes in the Android manifest parsing and extraction process.

This technique allows SoumniBot to take information from Android phones while avoiding the usual security checks.

Researchers from Kaspersky found and studied the virus. They also revealed technical details on how the malware exploits the Android procedure to extract APK manifests. 

Read also: Unleashing the power of Samsung Galaxy S23 FE 5G

RelatedPosts

No Content Available

How SoumniBot Malware tricks Android’s parser

Each app’s root directory contains a manifest file called “AndroidManifest.xml.” This file contains information about the app’s components, including services, broadcast receivers, content providers, permissions, and data.

Malicious APKs might employ several techniques to circumvent analysis and security programmes, but according to Kaspersky, SoumniBot employs three distinct approaches that manipulate the size and compression of the manifest file to evade parser tests.

To start, the Android ‘libziparchive’ library is responsible for unpacking APKs, but SoumniBot uses a compression value that isn’t valid. This value doesn’t match the normal values (0 or 8).

The Android APK parser has a quirk that lets it ignore specific values as undesirable data so the APK can continue to run on the device despite security checks.

The second approach is to provide an inflated value for the manifest file size in the APK, which is not the actual size.

The file is copied straight from the archive with unnecessary “overlay” data to make up the difference since it was tagged as uncompressed in the previous phase.

According to Kaspersky, this additional data is essential for perplexing code analysis tools, but it doesn’t hurt the device itself because Android is configured to disregard it.

Thirdly, to circumvent automated analysis tools that are too small to handle them, you can use extremely long strings as XML namespace names in the manifest file.

Kaspersky has notified Google that the official analysis tool for Android, APK Analyzer, cannot process files that use the methods above of evasion.

Additionally, BleepingComputer has reached out to Google for comment. We will provide an update here whenever we receive a response. 

The SoumniBot Malware as a threat

Right after it starts up, SoumniBot sends the infected device’s profile information (number, carrier, etc.) and asks for its configuration settings from a hardcoded server address.

The next step is to launch a malicious service that compromises the victim’s data every 15 seconds and restarts every 16 minutes if not stopped.

The stolen information includes digital certificates for online banking, images, videos, IP addresses, contact lists, account information, and SMS messages.

Read also: Thepeer, Nigerian startup Shuts down operations

An MQTT server orchestrates the data exfiltration process by sending commands to the malware. Not only do these commands make it easier to extract sensitive information, but they also allow the compromised device to execute various operations. The ability to edit contacts, including removing or adding them, is one of the many responsibilities mandated by these regulations. You can even instruct the malware to send SMS messages, which will forward conversations how you want. Additionally, it provides access to the device’s audio settings, so you may change the volume of your ringtone and toggle silent mode on and off as you like. In addition, malware can change the device’s debug mode, allowing the attacker to turn this feature on or off based on their goals. This complex command structure highlights the malware’s versatility and ability to manipulate devices and steal data.

It is unknown how SoumniBot gets onto devices, but it may be anything from spreading through unofficial Android stores and rogue websites to infiltrating trustworthy app repositories and upgrading genuine programmes with malicious code.

Like other malicious Android apps, SoumniBot hides its icon after installation to make removal more difficult; it targets Korean users. Nonetheless, it continues to upload victim data while running in the background.

Kaspersky provides a brief collection of compromise indications, including malware hashes and two domains used for command and control operations. 

Tags: SoumniBot
Olanrewaju Adeniyi

Olanrewaju Adeniyi

Olanrewaju is a creative media professional focused on tech storytelling and digital content creation. He produces engaging content on tech, AI, software, and innovation. He also trains staff on using AI tools for research, video editing, and productivity.

No Result
View All Result

Quick Links

  • Tech News
  • Cryptocurrency
  • Fintech
  • Startups
  • Business

Follow Us:

  • facebook
  • instagram
  • Twitter(X)
  • Linkedin
  • YouTube
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2025 Techpression.com -Techpression Media Limited

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

We are using cookies to give you the best experience on our website.

You can find out more about which cookies we are using or switch them off in .

No Result
View All Result
  • Home
  • Tech News
    • Africa Tech
    • Global Tech
    • Tech with Pelumy
    • Tech Careers
    • Reviews
    • How To
    • General News
  • Cryptocurrency
  • Business
  • Fintech
  • Startups
  • Featured
  • Ai
  • Tech TV

© 2025 Techpression.com -Techpression Media Limited

techpression.com
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.