Tuesday, November 12, 2024
HomeAndroidSoumniBot Exploiting Android Manifest Flaws to Evade Detection

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

Published on

Malware protection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is incredible by using an unusual method to evade investigation and detection, notably obfuscating the Android manifest.

In addition to its unique obfuscation, SoumniBot stands out for its ability to steal Korean online banking keys—something Android bankers hardly do. 

This capability enables malicious actors to bypass bank authentication procedures and empty the wallets of unintentional victims. 

- Advertisement - SIEM as a Service

Researchers say SoumniBot’s creators sadly succeeded because the Android manifest parser code’s validations were not strictly enough.

Techniques Used By SoumniBot

The Kaspersky researchers explain that the standard unarchiving function in the libziparchive library only allows the following two values for the Compression method in the record header: 0x0000 (STORED, which is uncompressed) and 0x0008 (DEFLATED, which is compressed using the zlib library’s deflate), else it returns an error.

However, the Android developers choose to provide a different scenario in which the value of the Compression method field is checked wrongly rather than utilizing this function.

“If the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.

xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into Compression method and write uncompressed data”, researchers said.

Invalid Compression method value followed by uncompressed data

The Android APK parser successfully identifies the manifest and permits application installation, even though any unpacker that correctly implements compression method validation would consider a manifest like that invalid.

Secondly, the size of the manifest file is indicated in the header of the AndroidManifest.xml entry within the ZIP archive.

Even though the entry’s size is indicated inaccurately, it will be copied from the archive unaltered if stored uncompressed. 

The manifest parser ignores any overlay or information after the payload that isn’t connected to the manifest.

This is exploited by the malware, which adds some of the archive content to the unpacked manifest due to the archived manifest’s reported size exceeding its real size. 

Finally, the names of the XML namespaces are represented by very long strings included in the manifest.

These kinds of strings make manifests unreadable for both people and programs, which might not have enough memory allocated to handle them. 

“When run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victim’s device to mainsite every 15 seconds”, researchers said.

The information contains the victim’s ID, which was created using the trust device-android library, contact and account lists, the country inferred from the IP address, SMS and MMS messages, and other data.

The Trojan subscribes to messages from the MQTT server to receive commands.

If you want to avoid becoming a victim of malware of that kind, it is advised to use a reputable security app on your smartphone to identify the Trojan and stop it from installing despite all of its tactics.

Indicators of compromise

MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120

C&C
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]dev

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...