A new Android trojan called SoumniBot was detected in the wild targeting South Korean users by exploiting weaknesses in the manifest extraction and analysis procedure.
The malware is “notable for an unconventional approach to evading analysis and detection, namely Android manifest obfuscation,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest
Knowing that threat hunters typically begin their analysis by inspecting the app’s manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process much more challenging.
The first method involves using an invalid compression method value when decompressing the APK manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.
“This allows app developers to insert any value except 8 into the compression method and write uncompressed data,” Kalinin explained.
“Although any decompressor that correctly implements compression method validation would consider such a manifest invalid, Android’s APK parser correctly recognizes it and allows the application to be installed.”
It is worth pointing out that this method has been adopted since April 2023 by threat actors associated with several Android banking Trojans.
Secondly, SoumniBot misrepresents the size of the stored manifest file, providing a value that exceeds the actual figure, as a result of which the “uncompressed” file is copied directly, with the manifest parser ignoring the rest of the “overlapping” data that they take up the rest of the available space in the manifest file.
“The most rigorous manifest parsers would not be able to read such a file, while the Android parser handles the invalid manifest without errors,” Kalinin said.
The final technique has to do with using long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and as a result, no errors are thrown when handling the file.
SoumniBot, once started, requests configuration information from a hardcoded server address to obtain the servers used to send collected data and receive commands using the MQTT messaging protocol, respectively.
It is designed to start a malicious service that restarts every 16 minutes if it terminates for some reason and loads information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS messages, activating silent mode, and enabling Android debug mode, not to mention hiding the app icon to make it more difficult to uninstall from the device.
A notable feature of SoumniBot is its ability to search external storage media for .key and .der files containing paths to “/NPKI/yessign”, which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks and online stock exchanges (NPKI).
“These files are digital certificates issued by Korean banks to their customers and used to access online banking services or to confirm banking transactions,” Kalinin said. “This technique is quite unusual for Android banking malware.”
Earlier this year, cybersecurity firm S2W revealed details of a malware campaign waged by the North Korea-linked Kimusuky group, which used a Golang-based information stealer called Troll Stealer to steal GPKI certificates from Windows systems.
“Malware creators try to maximize the number of devices they infect without being noticed,” Kalinin concluded. “This motivates them to look for new ways to complicate detection. SoumniBot developers unfortunately succeeded due to insufficiently rigorous validations in Android’s manifest parser code.”