Summary: This article discusses a new banking Trojan called SoumniBot that is targeting Korean users by exploiting vulnerabilities in the Android manifest and using obfuscation techniques to evade detection.
Threat Actor: SoumniBot | SoumniBot
Victim: Korean users | Korean users
Key Point :
- SoumniBot manipulates the Android manifest to hide its malicious intent and evade detection during installation.
- The malware can search for and exfiltrate digital certificates used by Korean banks, allowing threat actors to exploit banking credentials and conduct fraudulent transactions.
- SoumniBot also subscribes to messages from a message queuing telemetry transport server (MQTT), enabling remote attackers to send commands and collect sensitive information from the infected device.
Cybercrime
,
Finance & Banking
,
Fraud Management & Cybercrime
New Malware SoumniBot Exploiting Legitimate Android Process
A new banking Trojan is targeting Korean users using obfuscation techniques that target the Android manifest, exploit vulnerabilities and take advantage of weaknesses in how Android apps interpret this file.
See Also: 2018 Banking Threat Landscape: An Inside Look at How Cybercriminals Target Financial Services
Unlike typical malware droppers like Badpack and Hqwar, the novel Android malware dubbed SoumniBot stands out for its innovative approach to camouflaging its malicious intent.
Researchers at Kaspersky said the secret to SoumniBot’s evasion strategy is its ability to manipulate the Android manifest, a crucial component within every Android application package.
The malware developers identify and exploit vulnerabilities in the manifest extraction and parsing procedure to obscure the true nature of the malware.
Exploiting Android Manifest Weaknesses
SoumniBot employs several techniques to obfuscate its presence and thwart analysis:
- Invalid Compression Method Value: By manipulating the compression method value within the AndroidManifest.xml entry, SoumniBot tricks the parser into recognizing data as uncompressed, allowing the malware to evade detection during installation.
- Invalid Manifest Size: SoumniBot manipulates the size declaration of the AndroidManifest.xml entry, causing overlay within the unpacked manifest. This tactic enables the malware to bypass strict parsers without triggering errors.
- Long Namespace Names: Utilizing excessively long namespace strings within the manifest, SoumniBot renders the file unreadable for both humans and programs. The Android OS parser disregards these lengthy namespaces, facilitating the malware’s stealthy operation.
SoumniBot’s Functionality
Upon execution, SoumniBot requests configuration parameters from a hardcoded server, enabling it to function effectively. The malware then initiates a malicious service, conceals its icon to hinder removal, and begins surreptitiously uploading sensitive data from the victim’s device to a designated server.
Researchers also point to SoumniBot’s capability to search for and exfiltrate digital certificates used by Korean banks for online banking services. This feature allows threat actors to exploit banking credentials and conduct fraudulent transactions.
Upon locating relevant files, SoumniBot copies the directory containing these digital certificates into a ZIP archive, which is then transmitted to the attacker-controlled server. These certificates, issued by Korean banks to their clients, are used for authentication and authorization purposes.
SoumniBot also subscribes to messages from a message queuing telemetry transport server, or MQTT, an essential command-and-control infrastructure component. MQTT facilitates lightweight, efficient messaging between devices, helping the malware seamlessly receive commands from remote attackers.
Some commands send information about the infected device including phone number and carrier and the Trojan version, followed by all of the victim’s SMS messages, contacts, accounts, photos, videos and online banking digital certificates.
It also sends the victim’s contact list; deletes a contact on the victim’s device; sends a list of installed apps; adds a new contact on the device; and gets ringtone volume levels.
Source: https://www.bankinfosecurity.com/novel-android-malware-targets-korean-banking-users-a-24897
“An interesting youtube video that may be related to the article above”