A new Android Trojan, named SoumniBot, has been uncovered, specifically targeting users in South Korea by exploiting vulnerabilities in the Android manifest extraction and parsing procedures. This malware is distinctive for its unconventional methods of evasion, particularly through the obfuscation of the Android manifest, as revealed by Kaspersky researcher Dmitry Kalinin in a detailed technical analysis.
Every Android application includes a manifest XML file known as “AndroidManifest.xml,” which is critical for defining the components of the application as well as the permissions and features it requires. Recognizing that threat analysts typically begin their assessments by examining this manifest file, the creators of SoumniBot employ several techniques to complicate this analysis considerably.
One notable tactic involves using an invalid compression method value when unpacking the APK’s manifest file. When handled by the libziparchive library, this tactic allows the criminals to designate any value other than 0x0000 or 0x0008 as uncompressed data. While this could be problematic for ordinarily strict unpackers, the Android APK parser accommodates it, enabling installation despite the manifest’s irregularity.
Additionally, SoumniBot misrepresents the archived manifest file size by providing a fabricated figure that exceeds the actual size. This deception leads the manifest parser to disregard the additional data, which would normally be identified as ‘overlay’ data. Consequently, while stricter parsing mechanisms would fail to process such a malformed file, the Android parser manages it without raising errors, further obscuring the malware’s activities.
The final method involves incorporating lengthy XML namespace names within the manifest, adding complexity that can hinder analysis tools from processing it efficiently. However, since the parser is programmed to overlook namespaces, this tactic prevents any parsing errors, allowing the malware to operate undetected.
Upon activation, SoumniBot connects to a hard-coded server address to retrieve configuration information, thus initiating communications for data collection and command execution via the MQTT messaging protocol. Notably, this malware is designed to launch a malicious service that automatically restarts every 16 minutes if it stops for any reason, allowing for the steady gathering of user data, including device metadata, contact lists, SMS messages, and more, at intervals of every 15 seconds.
Moreover, SoumniBot possesses the capability to manipulate contacts, send SMS messages, toggle silent mode, enable Android’s debug mode, and conceal its app icon to make uninstallation more challenging for users. A significant aspect of this malware is its ability to search external storage for digital signature certificate files, specifically targeting paths associated with South Korea’s digital certificate services used for online banking and transactions. This technique is atypical for Android banking malware, illustrating a heightened level of sophistication.
Interestingly, previous malware campaigns, such as those linked to the Kimusuky group from North Korea, have also sought GPKI certificates to exploit similar vulnerabilities in banking applications. This trend underscores a broader strategy among malware developers to enhance their infection rates without detection, utilizing innovative methods to circumvent existing security measures.
In response to inquiries, Google has stated that no instances of SoumniBot have been identified in the Google Play Store. Furthermore, both the company and Google Play Protect—an automated security layer activated by default on Android devices—work to shield users by blocking known versions of this malware, even if they originate from non-official sources.
This incident highlights the ongoing threats posed by sophisticated malware against users in South Korea, leveraging tactics that fall under the MITRE ATT&CK framework, including initial access techniques to target devices and persistence strategies to maintain their presence. Security vigilance is crucial as attackers continuously refine their methods to evade detection by exploiting oversights in security validation processes.
