A new banker, SoumniBot, was recently identified. It targets Korean users and uses an unusual method to evade investigation and detection, including obfuscating the Android manifest.
In addition to its unique obfuscation, SoumniBot stands out for its ability to steal Korean online banking keys, something Android bankers rarely do.
This capability allows malicious actors to bypass bank authentication procedures and empty the wallets of unwitting victims.
The researchers say SoumniBot’s creators were unfortunately successful because the Android manifest parser code validations weren’t strict enough.
Techniques used by SoumniBot
Kaspersky researchers explain that the standard unarchiving function of the libziparchive library only allows the following two values for the compression method in the record header: 0x0000 (STORED, which is not compressed) and 0x0008 (DEFLATED, which is compressed using deflate from the zlib library). , otherwise it returns an error.
However, Android developers choose to provide a different scenario where the Compression Method field value is incorrectly checked rather than using this feature.
“If the APK parser encounters a compression method value other than 0x0008 (DEFLATED) in the APK for AndroidManifest.
XML, it considers uncompressed data. This allows application developers to put any value except 8 in the compression method and write uncompressed data,” the researchers said.
The Android APK parser successfully identifies the manifest and allows the application to be installed, although any decompressor that correctly implements compression method validation would consider such a manifest invalid.
Second, the size of the manifest file is specified in the header of the AndroidManifest.xml entry in the ZIP archive.
Even if the size of the entry is specified inaccurately, it will be copied from the archive without modification if stored uncompressed.
The manifest parser ignores any overlays or information after the payload that is not connected to the manifest.
This is exploited by the malware, which appends part of the archive contents to the unpacked manifest because the reported size of the archived manifest exceeds its actual size.
Finally, XML namespace names are represented by very long strings included in the manifest.
These types of strings make manifests unreadable to both people and programs, which may not have enough memory allocated to handle them.
“When first executed, the Trojan hides the app icon to make removal more difficult, then begins downloading data in the background from the victim’s device to the main site every the 15 seconds,” the researchers explained.
The information contains the victim’s ID, which was created using the trusted device library-Android, contact and account lists, country deduced from the IP address, SMS and MMS messages and other data.
The Trojan subscribes to messages from the MQTT server to receive commands.
If you want to avoid falling victim to malware of this type, it is advisable to use a reputable security application on your smartphone to identify the Trojan and prevent it from installing despite all its tactics.
Compromise indicators
MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120
CC
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]developer