A brand new Android trojan known as SoumniBot has been detected within the wild focusing on customers in South Korea by leveraging weaknesses within the manifest extraction and parsing process.
The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin mentioned in a technical evaluation.
Each Android app comes with a manifest XML file (“AndroidManifest.xml”) that is positioned within the root listing and declares the varied parts of the app, in addition to the permissions and the {hardware} and software program options it requires.
Understanding that risk hunters usually begin their evaluation by inspecting the app’s manifest file to find out its conduct, the risk actors behind the malware have been discovered to leverage three completely different methods to make the method much more difficult.
The primary technique entails the usage of an invalid Compression technique worth when unpacking the APK’s manifest file utilizing the libziparchive library, which treats any worth aside from 0x0000 or 0x0008 as uncompressed.
“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin defined.
“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed.”
It is value stating right here that the tactic has been adopted by risk actors related to a number of Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file measurement, offering a worth that exceeds the precise determine, on account of which the “uncompressed” file is straight copied, with the manifest parser ignoring the remainder of the “overlay” information that takes up the remainder of the obtainable area.
“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin mentioned.
The ultimate approach has to do with using lengthy XML namespace names within the manifest file, thus making it tough for evaluation instruments to allocate sufficient reminiscence to course of them. That mentioned, the manifest parser is designed to disregard namespaces, and, in consequence, no errors are raised when dealing with the file.
SoumniBot, as soon as launched, requests its configuration data from a hard-coded server tackle to acquire the servers used to ship the collected information and obtain instructions utilizing the MQTT messaging protocol, respectively.
It is designed to launch a malicious service that restarts each 16 minutes if it terminates for some cause, and uploads the knowledge each 15 seconds. This consists of gadget metadata, contact lists, SMS messages, photographs, movies, and an inventory of put in apps.
The malware can be able to including and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android’s debug mode, to not point out hiding the app icon to make it tougher to uninstall from the devic
One noteworthy characteristic of SoumniBot is its capability to go looking the exterior storage media for .key and .der information containing paths to “/NPKI/yessign,” which refers back to the digital signature certificates service provided by South Korea for governments (GPKI), banks, and on-line inventory exchanges (NPKI).
“These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions,” Kalinin mentioned. “This technique is quite uncommon for Android banking malware.”
Earlier this yr, cybersecurity firm S2W revealed particulars of a malware marketing campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based data stealer known as Troll Stealer to siphon GPKI certificates from Home windows programs.
“Malware creators seek to maximize the number of devices they infect without being noticed,” Kalinin concluded. “This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.”
