Monday, December 23, 2024
HomeAndroidSoumniBot Exploiting Android Manifest Flaws to Evade Detection

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

Published on

SIEM as a Service

A new banker, SoumniBot, has recently been identified. It targets Korean users and is incredible by using an unusual method to evade investigation and detection, notably obfuscating the Android manifest.

In addition to its unique obfuscation, SoumniBot stands out for its ability to steal Korean online banking keys—something Android bankers hardly do. 

This capability enables malicious actors to bypass bank authentication procedures and empty the wallets of unintentional victims. 

- Advertisement - SIEM as a Service

Researchers say SoumniBot’s creators sadly succeeded because the Android manifest parser code’s validations were not strictly enough.

Techniques Used By SoumniBot

The Kaspersky researchers explain that the standard unarchiving function in the libziparchive library only allows the following two values for the Compression method in the record header: 0x0000 (STORED, which is uncompressed) and 0x0008 (DEFLATED, which is compressed using the zlib library’s deflate), else it returns an error.

However, the Android developers choose to provide a different scenario in which the value of the Compression method field is checked wrongly rather than utilizing this function.

“If the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.

xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into Compression method and write uncompressed data”, researchers said.

Invalid Compression method value followed by uncompressed data

The Android APK parser successfully identifies the manifest and permits application installation, even though any unpacker that correctly implements compression method validation would consider a manifest like that invalid.

Secondly, the size of the manifest file is indicated in the header of the AndroidManifest.xml entry within the ZIP archive.

Even though the entry’s size is indicated inaccurately, it will be copied from the archive unaltered if stored uncompressed. 

The manifest parser ignores any overlay or information after the payload that isn’t connected to the manifest.

This is exploited by the malware, which adds some of the archive content to the unpacked manifest due to the archived manifest’s reported size exceeding its real size. 

Finally, the names of the XML namespaces are represented by very long strings included in the manifest.

These kinds of strings make manifests unreadable for both people and programs, which might not have enough memory allocated to handle them. 

“When run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victim’s device to mainsite every 15 seconds”, researchers said.

The information contains the victim’s ID, which was created using the trust device-android library, contact and account lists, the country inferred from the IP address, SMS and MMS messages, and other data.

The Trojan subscribes to messages from the MQTT server to receive commands.

If you want to avoid becoming a victim of malware of that kind, it is advised to use a reputable security app on your smartphone to identify the Trojan and stop it from installing despite all of its tactics.

Indicators of compromise

MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120

C&C
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]dev

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...