Novel SoumniBot malware exploits errors in the Android manifest to avoid detection.
Security researchers at Kaspersky have observed new banking malware in circulation, and a particularly clever one at that.
It is also strange that it only aims to steal Korean users’ online banking keys.
Dubbed SoumniBot by Kaspersky, the malware was “recently discovered,” although no specific date range is provided. Kaspersky does not go into details about how the malware spreads.
But it’s the way the malware hides itself that has caught the attention of Kaspersky researchers.
“Creators of widespread malware programs often employ various tools that make code detection and analysis difficult, and Android malware is no exception,” Kaspersky researcher Dmitry Kalinin said in a blog post. “As an example of this, droppers, such as Badpack and Hqwar, designed to stealthily distribute banking Trojans or spyware to smartphones, are very popular among malicious actors attacking mobile devices.
“That said, we recently discovered a new banker, SoumniBot, that targets Korean users and stands out for an unconventional approach to evading analysis and detection, i.e. Android manifest obfuscation.”
The Android manifest contains metadata about Android applications, including application entry points. SoumniBot takes advantage of this functionality in three ways: by using an invalid compression method value, an invalid manifest size, and long namespace names.
The first method is relatively common for many types of malware and involves the fact that the Android App Kit uses an unusual unarchive feature. Instead of recognizing two states: DEFLATE (0x0008), which is compressed, or STORED (0x0000), which is uncompressed, the Android APK only recognizes DEFLATE. Any other value is considered compressed.
“This allows application developers to put any value except 8 in the compression method and write uncompressed data,” Kaspersky said. “Although any unpacker that correctly implements compression method validation would consider such a manifest invalid, the Android APK parser correctly recognizes it and allows the app to install.”
The second technique, invalid manifest size, relies on another quirk of the Android manifest: that is, what it does when the size of a compressed app doesn’t match its manifest entry. Any information outside of that value creates what is called an overlay. While stricter parsers would be unable to read such a file, the Android manifest simply ignores the discrepancy.
“Malware takes advantage of this: the size of the archived manifest it contains exceeds its actual size, resulting in an overlap, and part of the content of the file is added to the uncompressed manifest,” Kaspersky said.
Finally, SoumniBot takes advantage of long namespace names: XML files with a string of characters so long that it simply takes too much memory to read them. But since the Android OS parser ignores that namespace completely, it handles such a manifest without raising any errors.
Once installed, the malware hides its app icon, making removing the app much more difficult even if it is detected, and begins uploading data to the malware’s server infrastructure from the infected device, doing so every fifteen minutes. seconds. If somehow the application stops running, it tries to restart every 16 seconds.
The malware can collect IP addresses and therefore the country of the device, contact lists, phone messages, and a unique ID from Android’s own trusted Android device library. It can also receive messages from your C&C infrastructure, allowing various remote commands to be executed, including silent mode and the above functions.
Command 0 deserves, according to Kaspersky, a special mention.
“It searches, among other things, on external storage media for .key and .der files containing paths to /NPKI/yessign,” Kaspersky said.
“If the application finds files like that, it copies the directory where they are located to a ZIP file and sends it to the C&C server. These files are digital certificates issued by Korean banks to their customers and used to log in to online banking services or confirm banking transactions.”
With these details, the threat actors behind SoumniBot can empty entire bank accounts.
The combination of such a specific target and its obfuscation methods makes SoumniBot a rare beast, according to Kaspersky; However, the security company has not attributed its use to any specific threat actor.