A recently discovered Android banking malware named ‘SoumniBot’ is employing a clever technique to hide its malicious activities from standard security measures on Android devices. This method involves exploiting weaknesses in the way Android extracts and interprets APK manifest files.
Manifest files, found in every app’s root directory, contain crucial information about the app’s components, permissions, and data. Typically, security tools rely on these files to detect and analyze potential threats. However, SoumniBot employs three different tactics to deceive the Android system and avoid detection.
Firstly, it uses an unusual compression value when unpacking the manifest file, tricking the Android system into treating it as uncompressed and bypassing security checks. Secondly, it misreports the file’s size, filling the extra space with meaningless data to confuse analysis tools. Lastly, it employs long strings for XML namespaces, overwhelming automated analysis tools with complex data.
Kaspersky researchers, who analyzed the malware, have alerted Google about the shortcomings of its official analysis utility, APK Analyzer, in handling files manipulated by SoumniBot.
Once installed on a device, SoumniBot retrieves configuration parameters from a preset server and gathers information about the device. It then starts a hidden service that sends stolen data to the attackers every 15 seconds. This stolen data includes sensitive information like IP addresses, contacts, account details, SMS messages, multimedia files, and online banking certificates.
The malware receives commands via an MQTT server, enabling attackers to control various functions such as manipulating contacts, sending SMS messages, adjusting volume settings, and toggling device modes.
Though it’s unclear how SoumniBot spreads, it likely targets users through third-party app stores or unsafe websites. Once installed, it hides its icon to evade detection but remains active in the background, continuously sending data to the attackers.
Kaspersky has provided a list of indicators to help identify devices infected with SoumniBot, including malware hashes and domains used for command and control operations. Google has assured users that its Play Protect feature guards against known versions of this malware, even outside the Google Play Store.