A new Android banking malware under the name "SoumniBot” exploits bugs in Android manifest extraction and parsing procedure. Thanks to this approach, the malware avoids formal security measures of Android phones and steals information. SoumniBot was discovered and analyzed by researchers of the Kaspersky.
Exploiting the Android parser
The Manifest files ("AndroidManifest.xml") exist in the root directory of each Application and contain details of data (services, broadcast receivers, content providers), licences and application data.
According to Kaspersky researchers, the SoumniBot Android banking malware uses three different methods, which include handling the compression and size of a manifest file, to bypass the analysis checks:
Method 1
SoumniBot uses a invalid compression value when unpacking the manifest file of APK. This deviates from the standard values (0 or 8) expected by the Android "libziparchive" library, which is responsible for this role.
Instead of treating these values as unacceptable, the Android APK parser recognizes the data as uncompressed due to a bug, allowing the APK to bypass the security checks and continue execution in the Device.
See also: PixPirate banking trojan targets users in Brazil
Method 2
The second method, used by the Android banking malware SoumniBot, involves incorrect reporting of manifest file size in APK, providing a value greater than the actual value. Since the Archive is marked as uncompressed in the previous step, it is copied directly from the file, with junk "overlay" data to compensate for the difference.
These additional data do not directly harm the Device, as Android ignores them, but they confuse code analysis tools.
Method 3
The third avoidance technique is the use of very long strings for the names of XML namespaces in the manifest file. As a result, automated analysis tools find it difficult to test them.
Kaspersky researchers have informed Google about the weakness of APK Analyzer (of the official auxiliary program Android analysis), handle files that use the above escape methods.
Android banking malware SoumniBot
At startup, SoumniBot requests its configuration parameters from a hardcoded server address and sends profile information for the infected Device.
See also: CHAVECLOAK: New banking trojan targets users in Brazil
It then launches a malicious service that transmits stolen victim data every 15 seconds. The stolen goods data include IP addresses, contact lists, account details, SMS messages, photos, videos and online banking digital certificates.
Data theft occurs after the malware receives a command from an MQTT server. Other commands include:
- Delete existing or add new contacts
- Sending an SMS message (forwarding)
- Adjusting the ring volume levels
- Enable or disable the silent mode
- Enable or disable the debugging function on the device
Researchers have not discovered how the SoumniBot Android banking malware SoumniBot reaches the target devices. It could be inside seemingly legitimate Applications in third-party Android stores or introduced via a later update to legitimate apps. It may also be downloaded from untrustworthy websites or a phishing technique may be used.
SoumniBot mainly targets Korean users and hides its icon after installation, to make it more difficult to abolish it. However, it remains active in the background, stealing data from the victim.
See also: Hackers abuse Google Cloud Run to distribute banking trojans
Protection from Android banking malware
- Η installation of antivirus software is essential for the protection of your device. These software can identify and remove malware before it causes damage.
- It is important to keep your operating system and applications up to date. Updates often include security fixes that can protect your device from malware.
- Avoid installing applications from third-party sources. The Applications they have not undergone the same security checks as those in the Google Play Store and may contain malware (e.g. SoumniBot).
- Watch out for the permissions the apps ask for. If an application asks for access to personal information that you don't seem to need, it may be best not to install it.
- Take care of the phishing emails which may try to induce you to download malware. These Messages may appear to come from legitimate sources, but they often contain links or attachments that can install malware on your device.
- Finally, it is important to create regularly backups of your data. This can help restore your information if your device is infected by malware (e.g. SoumniBot).
Source : www.bleepingcomputer.com
![Pinterest](https://pinterest.com/pin/create/button/?url=https://www.secnews.gr/en/534493/soumnibot-prosoxi-neo-android-banking-malware/&media=https://www.secnews.gr/wp-content/uploads/2024/04/SoumniBot-android-banking-malware.png&description=Ένα νέο Android banking malware με το όνομα "SoumniBot" εκμεταλλεύεται bugs στο Android manifest extraction και parsing procedure.){kind=link}