April 17, 2024 at 05:45PM
The newly discovered Android banking malware ‘SoumniBot’ employs unusual obfuscation techniques to evade standard security measures found in Android phones. It exploits weaknesses in the Android manifest extraction and parsing procedure, allowing it to perform info-stealing operations. Once launched, SoumniBot exfiltrates a variety of data and is controlled by commands received via an MQTT server.
Key takeaways from the meeting notes on the new Android banking malware ‘SoumniBot’ are as follows:
1. SoumniBot uses a less common obfuscation method by exploiting weaknesses in the Android manifest extraction and parsing procedure, enabling it to evade standard security measures in Android phones and perform info-stealing operations.
2. Kaspersky researchers have analyzed the malware and provided technical details on the methods it uses to take advantage of the Android routine to parse and extract APK manifests.
3. SoumniBot employs three different methods involving manipulation of the manifest file’s compression and size to evade parser checks, including using invalid compression values, misreporting the file size, and using very long strings for the names of XML namespaces.
4. Upon launch, SoumniBot requests its configuration parameters from a hardcoded server address and sends profiling information for the infected device. It then initiates a malicious service that restarts regularly and transmits stolen data every 15 seconds, including IP addresses, contact lists, account details, SMS messages, photos, videos, and online banking digital certificates.
5. The data exfiltration is controlled by commands the malware receives via an MQTT server, allowing functions such as adding/deleting contacts, sending SMS messages, and controlling device settings.
6. SoumniBot targets Korean users and may reach devices through distribution over third-party Android stores, unsafe websites, or updating legitimate apps with malicious code in trusted repositories. It hides its icon after installation and remains active in the background, uploading data from the victim.
7. Kaspersky provides a short set of indicators of compromise, including hashes for the malware and two domains that malware operators use for command and control activity.