Skip to content

Android trojan SoumniBot improves evasion techniques

  • by
  • 3 min read

Photo: Rafapress / Shutterstock.com

A banking Trojan called SoumniBot has emerged, targeting Korean users. It showcases sophisticated obfuscation tactics aimed at evading detection and analysis. It takes a novel approach to obfuscation by targeting the Android manifest and exploiting vulnerabilities in the parsing and extraction process.

The malware uses the following techniques for this purpose:

  • Manipulating compression method validation: SoumniBot exploits a vulnerability related to the Compression method field in the Android manifest extraction process. By employing an invalid Compression method value, SoumniBot deceives the parser into treating the data as uncompressed, thus evading detection during installation.
  • Tampering with manifest size: Another intricate tactic employed by SoumniBot involves tampering with the stated size of the manifest file within the APK archive. By inflating the size and introducing overlay content, the malware outsmarts parsing mechanisms, circumventing checks that would typically flag such irregularities.
  • Utilising lengthy namespace names: SoumniBot further complicates analysis by incorporating excessively long strings as XML namespace names in the manifest. This obfuscation technique renders the manifest unreadable for both humans and automated tools while posing memory allocation challenges for parsers, bolstering its defences against detection.
Lengthy namespace names. | Source: Securelist

“The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices,” the researchers said.

Beyond its obfuscation prowess, SoumniBot boasts a sophisticated functionality tailored to target Korean users and pilfer sensitive data related to online banking transactions.

Upon execution, SoumniBot communicates with a remote server to retrieve configuration parameters, including server addresses for data retrieval and command reception. The malware deploys malicious services disguised to evade detection, such as data collection and discreet uploads.

Of particular concern is SoumniBot’s ability to pilfer digital certificates utilised by Korean banks’ clients for online banking authentication, posing a direct threat to financial security.

SoumniBot’s sophisticated obfuscation techniques pose substantial challenges for conventional analysis tools and security solutions. While active devices perceive the malware as legitimate, Google’s official APK analysis utility, apkanalyzer, encounters difficulty handling SoumniBot-infected files. However, several third-party antiviruses can detect SoumniBot.

In the News: Cybercriminals are exploiting TeamViewer to deliver ransomware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>