Keypoints
- SoumniBot obfuscates the AndroidManifest.xml to prevent analysts and some tools from finding app entry points, using malformed ZIP header fields and oversized strings.
- Technique 1: Invalid Compression Method — the APK sets non-0x0008 compression values while storing uncompressed manifest data, bypassing stricter unpackers but accepted by Android’s parser.
- Technique 2: Invalid Manifest Size — the archive header declares a larger manifest size than actual, producing overlay data that Android ignores but breaks stricter analyzers like apkanalyzer.
- Technique 3: Long Namespace Names — extremely long XML namespace strings make the manifest unreadable or hard to parse for tools, while Android ignores namespaces and proceeds normally.
- At runtime the app requests two server parameters (mainsite and mqtt), starts a persistent background service, hides its icon, and uploads device data to mainsite every 15 seconds.
- SoumniBot subscribes to an MQTT server to receive commands (e.g., exfiltrate contacts, messages, photos; add/delete contacts; send SMS) and specifically searches for .key/.der files under /NPKI/yessign to steal Korean banking certificates.
- Kaspersky detects SoumniBot as Trojan-Banker.AndroidOS.SoumniBot and reported the manifest parsing issues to Google because Google’s apkanalyzer cannot handle these malformed manifests.
MITRE Techniques
- [T1027] Obfuscated Files or Information – SoumniBot deliberately corrupts or alters the APK manifest and ZIP headers to hide entry points and payloads (‘obfuscation of the Android manifest’).
- [T1564] Hide Artifacts – The Trojan hides its app icon to complicate detection and removal (‘the Trojan hides the app icon to complicate removal’).
- [T1071] Application Layer Protocol – Uses MQTT and HTTP(S) (mainsite and mqtt parameters) for command-and-control and data transfer (‘mqtt provides MQTT messaging functionality for receiving commands’).
- [T1005] Data from Local System – Searches external storage for .key and .der files and looks for paths containing ‘/NPKI/yessign’ to collect banking certificates (‘(_data LIKE ‘%.key’ OR _data LIKE ‘%.der’)’ and ‘/NPKI/yessign’).
- [T1041] Exfiltration Over C2 Channel – Copies directories containing found keys into a ZIP archive and sends them to the C&C server (‘it copies the directory where they are located into a ZIP archive and sends it to the C&C server’).
Indicators of Compromise
- [MD5] sample APK hashes – 0318b7b906e9a34427bf6bbcf64b6fc8, b456430b4ed0879271e6164a7c0e4f6e (and 2 more hashes)
- [C2 domains] command-and-control servers – https://google.kt9.site, https://dbdb.addea.workers.dev
- [File paths] targeted banking keys – files matching %.key or %.der under /NPKI/yessign (searched on external storage)
SoumniBot implements three manifest-level obfuscation techniques that exploit lax or inconsistent APK parsing: (1) setting an invalid ZIP compression-method value for the AndroidManifest.xml entry while storing uncompressed data so stricter unpackers flag it but Android accepts it, (2) declaring a manifest size larger than the actual payload so overlay bytes (other archive content) are appended and ignored by Android’s parser, and (3) inserting extremely long XML namespace strings to make the manifest unreadable for tools that may fail to allocate sufficient memory. These manipulations prevent reliable identification of app components and entry points by many analysis tools (for example, Google’s apkanalyzer fails on such APKs), while the device still installs and runs the app.
On execution the app fetches two configuration parameters (mainsite and mqtt) from a hardcoded source or falls back to embedded defaults, then spawns a persistent background service that auto-restarts every 16 minutes if stopped. It hides its launcher icon, uploads device telemetry (IP, country, contacts, accounts, SMS/MMS, photos/videos, a generated device ID) to mainsite every ~15 seconds, and subscribes to MQTT for command delivery. Commands include enumerating/exfiltrating contacts, SMS/MMS, media, installed apps, toggling silent mode, sending SMS via an ID-based fetch, and a critical command that searches external storage for .key/.der files under /NPKI/yessign; when found, the malware zips the containing directory and exfiltrates the archive to its C2 infrastructure.
These technical behaviors combine APK-level evasion with active credential-theft and C2-controlled data exfiltration targeting Korean online banking certificates; detection signatures and remediation should focus on malformed manifest headers, frequent short-interval telemetry uploads, MQTT subscriptions to unknown brokers, and searches for /NPKI/yessign certificate files.
Read more: https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/