HQ/EMEAFind out how we can help your business
Security experts are concerned about the clever evasion strategies and covert operation of a recently found Android banking malware called ‘SoumniBot.’ Different to conventional malware, SoumniBot utilises less frequent obfuscation tactics. It does this by taking advantage of flaws in the Android manifest extraction and parsing process in order to avoid detection and carry out secret information-stealing activities.
Research indicates that the way SoumniBot operates consists of tampering with the Android function that parses and extracts APK manifests. These manifests are essential to all Android applications and hold important information about the data, permissions, and components of the app.
SoumniBot employs three discrete techniques to evade security measures implemented during this parsing procedure.
First, when unpacking the APK’s manifest file, SoumniBot uses an unusual compression setting, departing from the norm. SoumniBot gets past security safeguards and runs on the device without setting off alerts by taking advantage of a weakness in the Android APK parser library.
Furthermore, the malware introduces extra data to further confound analysis tools by falsely reporting the size of the manifest file. When combined with the use of long strings in XML namespaces, this strategy presents a serious obstacle to automated detection systems, frequently overwhelming them because of memory limitations.
The malware is still not very common on Google Play, even after experts alerted Google about how poorly Android’s official analysis tool, APK Analyzer, handled files using SoumniBot’s evasion techniques. Google Play Protect offers users automated security by identifying and alerting users to known malware versions, even when they come from sources other than the Play Store.
After installation, SoumniBot functions covertly, establishing contact with a hardcoded server to obtain configuration parameters and device profiling data. It creates a malicious background service that restarts on a regular basis to evade discovery. Periodically, sensitive information such as IP addresses, contact lists, account credentials, SMS messages, multimedia files, and online banking certificates are stolen.
Under the direction of commands received through an MQTT server, SoumniBot is capable of performing a number of tasks, including modifying contacts, forwarding SMS messages, adjusting volume levels, and switching between debug modes. Even though the malware predominantly targets Korean consumers, it is unclear how it spreads—possibilities include upgrades of trustworthy programs that contain malicious code or third-party app stores.
Indicators of compromise, such as malware hashes and domains used for command-and-control operations, were supplied in order to detect possible infestations. The secret of SoumniBot’s tenacity is its ability to hide its icon after installation while continuing to operate in the background and exfiltrate data continuously.
Ultimately, SoumniBot poses a serious risk to Android users by taking advantage of flaws in the platform’s parser system to operate covertly and leak private data. Being alert is still essential for reducing the hazards that come with such advanced malware, as are strong security protocols and frequent upgrades.
