Clever disguise allows the malware to permanently register on infected devices.
A new type of banking malware for Android, dubbed "SoumniBot", uses an unusual method of obfuscation, exploiting vulnerabilities in the process of extracting and analyzing the Android manifest. This allows them to bypass standard security measures and conduct operations to steal information.
The method was identified and analyzed by Kaspersky Lab specialists, who revealed technical details of how the malware uses Android features to analyze and extract APK manifests.
"Any APK file is a ZIP archive, in the root directory of which the file is located AndroidManifest.xml. This file contains information about the declared components, permissions, and other application data, and also helps the operating system extract information about various entry points to the program," explains researcher Dmitry Kalinin.
"Like the operating system, the analyst first gets acquainted with the manifest, from where he learns about the entry points from which to start analyzing the application code. Most likely, this is what prompted the developers of SoumniBot to explore the features of handling manifests in Android, which allowed them to find several interesting features for obfuscating APKs, " the specialist continues.
A special feature of SoumniBot is the use of three different methods for manipulating the manifest file - changing its size and compressing it to avoid parser checks.
Kaspersky Lab informed Google about the shortcomings of the official APK Analyzer analysis utility when working with files that use the above-described bypass methods.
According to the data obtained, after installation, SoumniBot requests configuration parameters from a pre-set server, at the same time sending it information about the infected device, including the phone number, the mobile operator used, and other data.
The malware then starts a service that restarts every 16 minutes and transmits data from the smartphone every 15 seconds. The stolen data includes IP addresses, contact lists, account details, SMS messages, photos, videos, and digital certificates for online banking.
Data is managed via the MQTT server, which can also send commands to the smartphone that lead to the following actions::
SoumniBot is primarily aimed at Korean mobile banking users. Like many malicious Android apps, once installed, it remains active in the background, while hiding its icon. This significantly complicates the detection and removal of malware, especially for an inexperienced user.
In its report, Kaspersky Lab provided the necessary list of signs of compromise, including hashes for malware and two domains used by malware operators to operate C2 servers.
A new type of banking malware for Android, dubbed "SoumniBot", uses an unusual method of obfuscation, exploiting vulnerabilities in the process of extracting and analyzing the Android manifest. This allows them to bypass standard security measures and conduct operations to steal information.
The method was identified and analyzed by Kaspersky Lab specialists, who revealed technical details of how the malware uses Android features to analyze and extract APK manifests.
"Any APK file is a ZIP archive, in the root directory of which the file is located AndroidManifest.xml. This file contains information about the declared components, permissions, and other application data, and also helps the operating system extract information about various entry points to the program," explains researcher Dmitry Kalinin.
"Like the operating system, the analyst first gets acquainted with the manifest, from where he learns about the entry points from which to start analyzing the application code. Most likely, this is what prompted the developers of SoumniBot to explore the features of handling manifests in Android, which allowed them to find several interesting features for obfuscating APKs, " the specialist continues.
A special feature of SoumniBot is the use of three different methods for manipulating the manifest file - changing its size and compressing it to avoid parser checks.
- The first method is to use an invalid compression value when unpacking the APK manifest, which allows you to bypass standard security checks.
- The second method is to incorrectly specify the size of the manifest file, which is misleading for code analysis tools, since unnecessary data is added during the copying process.
- The third method is to use extremely long strings for XML namespace names in the manifest, which makes automatic analysis difficult.
Kaspersky Lab informed Google about the shortcomings of the official APK Analyzer analysis utility when working with files that use the above-described bypass methods.
According to the data obtained, after installation, SoumniBot requests configuration parameters from a pre-set server, at the same time sending it information about the infected device, including the phone number, the mobile operator used, and other data.
The malware then starts a service that restarts every 16 minutes and transmits data from the smartphone every 15 seconds. The stolen data includes IP addresses, contact lists, account details, SMS messages, photos, videos, and digital certificates for online banking.
Data is managed via the MQTT server, which can also send commands to the smartphone that lead to the following actions::
- delete or add contacts;
- sending SMS messages;
- adjusting the ringtone volume;
- enabling / disabling silent mode;
- enable / disable debugging mode on the device.
SoumniBot is primarily aimed at Korean mobile banking users. Like many malicious Android apps, once installed, it remains active in the background, while hiding its icon. This significantly complicates the detection and removal of malware, especially for an inexperienced user.
In its report, Kaspersky Lab provided the necessary list of signs of compromise, including hashes for malware and two domains used by malware operators to operate C2 servers.
