A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure.
The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file (“AndroidManifest.xml”) that’s located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.
Knowing that threat hunters typically commence their analysis by inspecting the app’s manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to resist analysis.
The first method involves the use of an invalid Compression method value when unpacking the APK’s manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.
“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin explained.
“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed.”
It’s worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the “uncompressed” file is directly copied, with the manifest parser ignoring the rest of the “overlay” data that takes up the rest of the available space.
“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin said.
The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.
SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.
It’s designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android’s debug mode, not to mention hiding the app icon to make it difficult to uninstall from the device.
One noteworthy feature of SoumniBot is its ability to search the external storage media for .key and .der files containing paths to “/NPKI/yessign,” which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks, and online stock exchanges (NPKI).
“These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions,” Kalinin said. “This technique is quite uncommon for Android banking malware.”
Earlier this year, cybersecurity company S2W revealed details of a malware campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based information stealer called Troll Stealer to siphon GPKI certificates from Windows systems.
“Malware creators seek to maximize the number of devices they infect without being noticed,” Kalinin concluded. “This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.”