A newly discovered Android banking malware named ‘SoumniBot’ employs sophisticated obfuscation techniques to evade detection by leveraging weaknesses in the Android manifest extraction process. This malware, analyzed by Kaspersky researchers, utilizes unconventional methods to manipulate the Android parser, allowing it to bypass standard security measures typically found in Android phones. By exploiting vulnerabilities in the parsing procedure, SoumniBot can operate stealthily on infected devices, facilitating the theft of sensitive information without triggering alarms or detection mechanisms.
The evasion techniques employed by SoumniBot include supplying invalid compression values and misreporting the size of the manifest file within the APK, confusing code analysis tools and bypassing security checks. Additionally, the malware uses long strings in XML namespaces, making it challenging for automated analysis tools to process them effectively due to memory constraints. Kaspersky researchers have alerted Google about the limitations of the APK Analyzer, the official Android analysis utility, in handling files utilizing these evasion methods, highlighting the need for enhanced detection mechanisms to counter such threats effectively.
Upon launch, SoumniBot communicates with a hardcoded server to retrieve configuration parameters and initiates malicious services on the infected device. These services transmit stolen data, including IP addresses, contact lists, account details, SMS messages, photos, videos, and online banking certificates, at regular intervals. The malware’s control is facilitated through commands received via an MQTT server, allowing operators to execute various functions such as adding or deleting contacts, sending SMS messages, adjusting ringtone volume, and toggling debug mode.
The distribution methods of SoumniBot remain unclear but may include distribution via third-party app stores, unsafe websites, or malicious updates to legitimate apps in trusted repositories. Targeting Korean users, SoumniBot hides its icon after installation to evade removal attempts while remaining active in the background, continuously exfiltrating data from infected devices. Kaspersky provides indicators of compromise, including malware hashes and command-and-control domains, to aid in detection and mitigation efforts against this emerging mobile malware threat.
