A novel Android malicious software dubbed SoumniBot has surfaced in the digital landscape, targeting individuals within South Korea, exploiting vulnerabilities inherent in the extraction and parsing process of manifest files.
The malignancy stands out for its unconventional strategy in circumventing scrutiny and identification, particularly through the obfuscation of the Android manifest, as highlighted by Dmitry Kalinin, a researcher at Kaspersky, in a comprehensive examination.
Each Android application encompasses a manifest XML file, “AndroidManifest.xml,” situated in the primary directory, delineating the various components of the application, alongside permissions and requisite hardware and software functionalities.
Aware that analysts typically initiate their investigations by scrutinizing the app’s manifest file to decipher its functionalities, the perpetrators behind the malware have implemented three distinct methodologies to heighten the complexity of this process significantly.
Initially, the utilization of an erroneous Compression method value during the unpacking of the APK’s manifest file using the libziparchive library is employed. This technique allows app developers to input any value apart from 0x0000 or 0x0008, thereby rendering the data uncompressed. Although such a manifest would be considered invalid by a properly implemented compression method validator, the Android APK parser correctly interprets it, enabling the application’s installation.
This approach has been adopted by malicious actors associated with various Android banking trojans since April 2023, underscoring its prevalence within the threat landscape.
Moreover, SoumniBot manipulates the archived manifest file size, presenting a value that surpasses the actual size, resulting in the direct copying of the “uncompressed” file, with the manifest parser disregarding the surplus “overlay” data. While more stringent manifest parsers would fail to parse such files, the Android parser seamlessly handles the flawed manifest without encountering errors.
The final tactic entails the incorporation of lengthy XML namespace names in the manifest file, impeding analysis tools from allocating adequate memory for processing. However, the manifest parser is engineered to overlook namespaces, thereby processing the file without triggering any errors.
Upon initiation, SoumniBot retrieves its configuration data from a predefined server address to acquire the servers utilized for transmitting collected data and receiving commands via the MQTT messaging protocol.
The malware is programmed to initiate a malicious service that restarts every 16 minutes in the event of termination, with data uploads occurring every 15 seconds. This dataset encompasses device metadata, contact lists, SMS messages, multimedia files, and a registry of installed applications.
Furthermore, SoumniBot possesses the capability to manipulate contacts, dispatch SMS messages, toggle silent mode, and activate Android’s debug mode, in addition to concealing its application icon to impede uninstallation from the device.
An intriguing aspect of SoumniBot lies in its ability to scour external storage media for .key and .der files containing paths leading to “/NPKI/yessign,” pertaining to the digital signature certificate service provided by South Korea for governmental (GPKI), banking, and online stock exchange (NPKI) purposes.
These files constitute digital certificates issued by Korean banks to their clientele, utilized for logging into online banking platforms or validating banking transactions, a technique seldom observed in Android banking malware.
Earlier this year, S2W, a cybersecurity firm, divulged details concerning a malware campaign orchestrated by the North Korea-linked Kimusuky group, featuring a Golang-based information exfiltrator named Troll Stealer, aimed at pilfering GPKI certificates from Windows systems.
“In their pursuit to maximize their infection footprint while evading detection, malware creators continuously seek innovative methods to obfuscate their activities,” concluded Kalinin. “The developers of SoumniBot have regrettably achieved success owing to inadequately stringent validations in the Android manifest parser code.”
