Cybercrime , Finance & Banking , Fraud Management & Cybercrime
Novel Android Malware Targets South Korean Banking Users
New Malware SoumniBot Exploiting Legitimate Android ProcessA new banking Trojan is targeting Korean users using obfuscation techniques that target the Android manifest, exploit vulnerabilities and take advantage of weaknesses in how Android apps interpret this file.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Unlike typical malware droppers like Badpack and Hqwar, the novel Android malware dubbed SoumniBot stands out for its innovative approach to camouflaging its malicious intent.
Researchers at Kaspersky said the secret to SoumniBot's evasion strategy is its ability to manipulate the Android manifest, a crucial component within every Android application package.
The malware developers identify and exploit vulnerabilities in the manifest extraction and parsing procedure to obscure the true nature of the malware.
Exploiting Android Manifest Weaknesses
SoumniBot employs several techniques to obfuscate its presence and thwart analysis:
- Invalid Compression Method Value: By manipulating the compression method value within the AndroidManifest.xml entry, SoumniBot tricks the parser into recognizing data as uncompressed, allowing the malware to evade detection during installation.
- Invalid Manifest Size: SoumniBot manipulates the size declaration of the AndroidManifest.xml entry, causing overlay within the unpacked manifest. This tactic enables the malware to bypass strict parsers without triggering errors.
- Long Namespace Names: Utilizing excessively long namespace strings within the manifest, SoumniBot renders the file unreadable for both humans and programs. The Android OS parser disregards these lengthy namespaces, facilitating the malware's stealthy operation.
SoumniBot's Functionality
Upon execution, SoumniBot requests configuration parameters from a hardcoded server, enabling it to function effectively. The malware then initiates a malicious service, conceals its icon to hinder removal, and begins surreptitiously uploading sensitive data from the victim's device to a designated server.
Researchers also point to SoumniBot's capability to search for and exfiltrate digital certificates used by Korean banks for online banking services. This feature allows threat actors to exploit banking credentials and conduct fraudulent transactions.
Upon locating relevant files, SoumniBot copies the directory containing these digital certificates into a ZIP archive, which is then transmitted to the attacker-controlled server. These certificates, issued by Korean banks to their clients, are used for authentication and authorization purposes.
SoumniBot also subscribes to messages from a message queuing telemetry transport server, or MQTT, an essential command-and-control infrastructure component. MQTT facilitates lightweight, efficient messaging between devices, helping the malware seamlessly receive commands from remote attackers.
Some commands send information about the infected device including phone number and carrier and the Trojan version, followed by all of the victim's SMS messages, contacts, accounts, photos, videos and online banking digital certificates.
It also sends the victim's contact list; deletes a contact on the victim's device; sends a list of installed apps; adds a new contact on the device; and gets ringtone volume levels.