New Android Trojan ‘SoumniBot’ Evades Detection with Clever Tricks

19.04.2024

A new Android trojan named SoumniBot has emerged, targeting users primarily in South Korea. Its detection highlights a concerning trend in cyber threats, as it exploits weaknesses within the extraction and parsing procedures of Android app manifest files. These manifest files, crucial for understanding an app’s behavior, are typically the first point of analysis for threat hunters. SoumniBot’s creators have employed three distinct techniques to obfuscate the manifest file, complicating the analysis process significantly.

The first method involves manipulating the Compression method value within the APK’s manifest file, exploiting a loophole in the Android APK parser. This allows the malware to bypass conventional validation checks, enabling its installation despite the manifest’s irregularities. Additionally, SoumniBot misrepresents the size of the archived manifest file, further complicating detection efforts. By providing an inflated size value, the malware ensures that the parser ignores additional data, effectively masking its malicious intent.

Moreover, SoumniBot employs lengthy XML namespace names within the manifest file, challenging analysis tools’ memory allocation capabilities. Despite these complexities, the Android manifest parser is designed to overlook namespace details, allowing the malware to operate without triggering errors. Once installed, SoumniBot retrieves configuration data from a predetermined server address and initiates a series of malicious activities on the infected device.

These activities include collecting a wide range of sensitive information such as device metadata, contacts, SMS messages, photos, videos, and a list of installed apps. Notably, SoumniBot exhibits a unique capability to search for digital certificate files associated with South Korean banks, a feature uncommon among Android banking malware. This technique underscores the malware’s sophisticated nature and its potential impact on users’ financial security.

Google has confirmed that SoumniBot-infected apps are not present on the Google Play Store, providing some reassurance to Android users. Additionally, Google Play Protect offers automatic protection against known variants of this malware, even when sourced from external sources. However, the emergence of SoumniBot highlights the ongoing challenges in combating evolving cyber threats and the need for continuous vigilance and innovation in cybersecurity practices.