SoumniBot, a newly identified Android trojan, has been spotted in the open attempting to compromise users in South Korea by exploiting vulnerabilities in the manifest extraction and parsing process. “By obfuscating the Android manifest, the malware is notable for an unconventional method of evading analysis and detection,” according to Kaspersky’s analyst Dmitry Kalinin highlighted in technical analysis.
Each Android application comes with a manifest XML file (“AndroidManifest.xml”), stored in the root directory. This file specifies the hardware and software features, permissions, and app components that the application requires. Since threat hunters usually start their investigation by looking at the app’s manifest file to see how it acts, the people who made the malware have been found to use three different methods to make the process much harder.
The initial approach is utilising an incorrect Compression method value while unpacking the manifest file of the APK by using the libziparchive library. This library considers any value apart from 0x0000 or 0x0008 as uncompressed. “This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin stated. Again, Kalinin stated, “Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognises it correctly and allows the application to be installed.” It’s important to note that since April 2023, threat actors connected to multiple Android banking trojans have been using this technique.
Second, SoumniBot provides an inflated value for the size of the archived manifest file; this causes the “uncompressed” file to be copied directly, with the manifest parser disregarding the remaining “overlay” data that occupies the remaining space.
The final technique involves using long XML namespace names in the manifest file, which makes it difficult for analysis tools to allocate sufficient memory to process them. However, the manifest parser is designed to ignore namespaces, so no errors are generated when the file is processed.
Once launched, SoumniBot requests configuration information from a hard-coded server address to obtain the servers used to send collected data and receive commands via the MQTT messaging protocol. It’s intended to launch a malicious service that restarts every 16 minutes if it crashes for any reason and uploads data every 15 seconds. This includes device metadata, contact lists, SMS messages, images, videos, and a list of installed apps. The malware can also add and delete contacts, send SMS, toggle silent mode, and enable Android’s debug mode, not to mention hiding the app icon to make it more difficult to uninstall from the device.
One notable feature of SoumniBot is its ability to search external storage media for .key and .der files with paths to “/NPKI/yes sign,” which refers to South Korea’s digital signature certificate service for governments (GPKI), banks, and online stock exchanges (NPKI).
The Kimusuky group, which has ties to North Korea, carried out a malware campaign earlier this year that used a Golang-based information stealer named Troll Stealer to steal GPKI certificates from Windows systems. Details of this campaign were made public by cybersecurity company S2W.
“Malware creators seek to maximise the number of devices they infect without being noticed,” Kalinin said. This encourages them to seek out novel approaches to make detection more difficult. Unfortunately, the lack of sufficiently stringent validations in the Android manifest parser code allowed the SoumniBot developers to succeed.”
When The Hacker News publication reached out for comment, Google confirmed that there are no apps containing SoumniBot on the Google Play Store for Android. “Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices running Google Play Services. Google Play Protect can warn users or block apps that are known to exhibit malicious behaviour, even if they are downloaded from sources other than Google Play,” it added.
