Analysis Summary

An Android trojan named SoumniBot has recently emerged targeting users primarily in South Korea. Its sophisticated approach to evading detection and analysis sets this malware apart, particularly through obfuscation techniques employed within the Android manifest file.

The manifest file is a critical component of every Android app which outlines its functionalities permissions, and requirements. Threat actors behind SoumniBot have implemented three distinct methods to complicate the analysis process for security researchers.

"Just like the operating system, the analyst starts by inspecting the manifest to find the entry points, which is where code analysis should start," said the researchers.

Firstly, the malware utilizes an unconventional compression method value within the manifest file to trick unpacking tools into treating the data as uncompressed. This technique exploits a vulnerability in the libziparchive library, allowing the malware to evade detection during installation despite appearing invalid to some unpackers. This method has been observed in previous Android banking trojans, indicating a trend among threat actors.

Secondly, SoumniBot misrepresents the size of the archived manifest file, leading the parser to copy only the "uncompressed" portion while ignoring the remaining "overlay" data. This tactic further confounds analysis tools, as stricter parsers would fail to interpret such malformed files correctly. Despite these irregularities, the Android parser seamlessly handles the manifest file facilitating the installation of the malicious application.

Lastly, the trojan employs lengthy XML namespace names within the manifest file challenging analysis tools to allocate sufficient memory for processing. However, the Android manifest parser is designed to disregard namespaces, allowing the malware to evade detection without triggering errors. These obfuscation techniques collectively contribute to the stealthy operation of SoumniBot, complicating efforts to identify and mitigate its threat effectively.

Upon execution, SoumniBot retrieves its configuration information from a hardcoded server address enabling it to collect data and receive commands via the MQTT messaging protocol. The malware operates stealthily, launching a malicious service that restarts every 16 minutes to ensure persistence on the infected device. It continuously uploads sensitive information, including device metadata, contact lists, SMS messages, multimedia files, and a list of installed apps, at regular intervals.

Furthermore, SoumniBot exhibits malicious functionalities such as adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android's debug mode. Notably, it can conceal its app icon to hinder uninstallation efforts, enhancing its persistence on infected devices. Additionally, the trojan searches for specific digital certificate files related to South Korean banking services, indicating a targeted approach toward financial fraud.

While SoumniBot poses a significant threat to Android users, it's noteworthy that Google Play Protect offers automatic protection against known versions of this malware. Despite this safeguard, the evolving tactics employed by malware developers underscore the importance of robust security measures and continuous vigilance to mitigate emerging threats effectively. As cybersecurity experts continue to analyze and respond to the evolving landscape of Android malware, staying informed and proactive remains paramount in safeguarding against potential risks.

Impact

• Sensitive Data Theft
• File Manipulation
• Financial Loss

Indicators of Compromise

SHA1

• a64a2abfbf1fc6f0439122710d10ae4b79bff6eb
• b43094c27584f5e0fc5feaa5c621e56d7c2f3ccb
• 3c0605960a99534c69af7e16fae8f4c128122be0
• a4b4a0199f53a250b975de0fe025137ed97840c3

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.