TLDR:
– New Android Trojan called SoumniBot evades detection by obfuscating the Android manifest
– Malware targets users in South Korea and leverages weaknesses in manifest extraction and parsing
A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file (“AndroidManifest.xml”) that’s located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires. Knowing that threat hunters typically commence their analysis by inspecting the app’s manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging.
The first method involves the use of an invalid Compression method value when unpacking the APK’s manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed. “This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin explained.
It’s worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023. Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the “uncompressed” file is directly copied, with the manifest parser ignoring the rest of the “overlay” data that takes up the rest of the available space. “Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin said.
The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file. SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.