A brand new Android trojan known as SoumniBot has been detected within the wild concentrating on customers in South Korea by leveraging weaknesses within the manifest extraction and parsing process.
The malware is “notable for an unconventional method to evading evaluation and detection, particularly obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin mentioned in a technical evaluation.
Each Android app comes with a manifest XML file (“AndroidManifest.xml”) that is situated within the root listing and declares the varied elements of the app, in addition to the permissions and the {hardware} and software program options it requires.
Understanding that risk hunters sometimes start their evaluation by inspecting the app’s manifest file to find out its habits, the risk actors behind the malware have been discovered to leverage three completely different strategies to withstand evaluation.
The primary technique includes the usage of an invalid Compression technique worth when unpacking the APK’s manifest file utilizing the libziparchive library, which treats any worth aside from 0x0000 or 0x0008 as uncompressed.
“This enables app builders to place any worth besides 8 into the Compression technique and write uncompressed knowledge,” Kalinin defined.
“Though any unpacker that appropriately implements compression technique validation would take into account a manifest like that invalid, the Android APK parser acknowledges it appropriately and permits the applying to be put in.”
It is value stating right here that the tactic has been adopted by risk actors related to a number of Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file dimension, offering a worth that exceeds the precise determine, because of which the “uncompressed” file is immediately copied, with the manifest parser ignoring the remainder of the “overlay” knowledge that takes up the remainder of the obtainable area.
“Stricter manifest parsers would not have the ability to learn a file like that, whereas the Android parser handles the invalid manifest with none errors,” Kalinin mentioned.
The ultimate method has to do with using lengthy XML namespace names within the manifest file, thus making it troublesome for evaluation instruments to allocate sufficient reminiscence to course of them. That mentioned, the manifest parser is designed to disregard namespaces, and, consequently, no errors are raised when dealing with the file.
SoumniBot, as soon as launched, requests its configuration info from a hard-coded server deal with to acquire the servers used to ship the collected knowledge and obtain instructions utilizing the MQTT messaging protocol, respectively.
It is designed to launch a malicious service that restarts each 16 minutes if it terminates for some purpose, and uploads the data each 15 seconds. This contains system metadata, contact lists, SMS messages, photographs, movies, and an inventory of put in apps.
The malware can also be able to including and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android’s debug mode, to not point out hiding the app icon to make it troublesome to uninstall from the system.
One noteworthy function of SoumniBot is its capacity to look the exterior storage media for .key and .der recordsdata containing paths to “/NPKI/yessign,” which refers back to the digital signature certificates service provided by South Korea for governments (GPKI), banks, and on-line inventory exchanges (NPKI).
“These recordsdata are digital certificates issued by Korean banks to their purchasers and used for signing in to on-line banking providers or confirming banking transactions,” Kalinin mentioned. “This system is sort of unusual for Android banking malware.”
Earlier this 12 months, cybersecurity firm S2W revealed particulars of a malware marketing campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based info stealer known as Troll Stealer to siphon GPKI certificates from Home windows programs.
“Malware creators search to maximise the variety of units they infect with out being observed,” Kalinin concluded. “This motivates them to search for new methods of complicating detection. The builders of SoumniBot sadly succeeded as a result of insufficiently strict validations within the Android manifest parser code.”
