SoumniBot Malware Exploits Android Bugs to Evade Detection

The digital world is filled with threats and dangers, and it seems that there is no escaping them, even in the confines of our own smartphones. The newest threat comes in the form of Android banking malware by the name of SoumniBot. This clever piece of malware uses a less common obfuscation approach by exploiting weaknesses in the Android manifest extraction and parsing procedure.

With the help of these techniques, SoumniBot is able to slip through standard security measures found in Android phones and perform info-stealing operations undetected. It was discovered and analyzed by Kaspersky researchers, who have provided technical details on the methods used by this malware to take advantage of the Android routine to parse and extract APK manifests.

Tricking Android’s Parser

Manifest files, also known as ‘AndroidManifest.xml’, are present in each app’s root directory and contain crucial details about components such as services, broadcast receivers, content providers, permissions, and app data.

While there are various compression tricks that malicious APKs can utilize to outsmart security tools and evade analysis, Kaspersky analysts have discovered that SoumniBot uses three unique methods that involve manipulation of the manifest file’s compression and size in order to bypass parser checks.

The first method involves the use of an invalid compression value when unpacking an APK’s manifest file. This value deviates from the standard values of 0 or 8 that are expected by the Android ‘libziparchive’ library responsible for parsing the data. Instead of rejecting these values, the Android APK parser defaults to recognizing the data as uncompressed due to a bug, allowing it to bypass security checks and continue execution on the device.

The second method involves misreporting the size of the manifest file in the APK, supplying a value larger than the actual figure. Since the file has been marked as uncompressed in the previous step, it is copied directly from the archive, with junk “overlay” data filling the difference. This extra data may not directly harm the device, since Android is set to ignore it, but it plays a crucial role in confusing code analysis tools.

The third evasion technique used by SoumniBot is to use very long strings for the names of XML namespaces in the manifest file. This makes it very difficult for automated analysis tools to check them, as they often lack enough memory to process them.

Kaspersky has informed Google about the inability of APK Analyzer, which is Android’s official analysis utility, to handle files utilizing the above evasion methods. However, there is currently no statement from Google on this matter.

The SoumniBot Threat

Once launched, SoumniBot requests its configuration parameters from a hardcoded server address and sends profiling information for the infected device, including carrier details and more. Next, it initiates a malicious service that will restart every 16 minutes if stopped, and transmit stolen data from the victim every 15 seconds. The information that is exfiltrated includes IP addresses, contact lists, account details, SMS messages, photos, videos, and online banking digital certificates.

Control over this data exfiltration is managed by commands that are received by the malware via an MQTT server. These commands can order functions such as deleting existing or adding new contacts, sending SMS messages (forwarding), setting ringtone volume levels, turning silent mode on or off, and turning the debug mode on or off.

It is currently unclear how SoumniBot reaches devices, but the methods may vary from distribution over third-party Android stores and unsafe websites to updating trusted applications with malicious code. This malware targets Korean users and, like many other malicious Android apps, it hides its icon after installation to make it more difficult to remove. However, the malware remains active in the background, constantly uploading data from the victim.

Kaspersky has provided a short list of indicators of compromise, including hashes for the malware and two domains that are used for command and control activity by the malware operators.