SoumniBot Levels Up Obfuscation Game

Banking trojan malware, namely malware designed to intercept a victim’s banking-related information, including login passwords, so that funds can be fraudulently stolen, is an ever-present danger for those using banking applications on mobile phones.

Reminding us of this danger is the recent discovery by security researchers at Kaspersky Labs, which discovered a new banking trojan called SoumniBot.

SoumniBot Levels Up Obfuscation Game

The banking trojan malware targets South Korean Android users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest extraction module.

In describing what the extraction module is and how SoumniBot abuses the module, researchers stated,

Any APK file is a ZIP archive with AndroidManifest.xml in the root folder. This file contains information about the declared components, permissions and other app data, and helps the operating system to retrieve information about various app entry points. Just like the operating system, the analyst starts by inspecting the manifest to find the entry points, which is where code analysis should start. This is likely what motivated the developers of SoumniBot to research the implementation of the manifest parsing and extraction routine, where they found several interesting opportunities to obfuscate APKs.

To do as the above quote highlights, the malware’s developers use three techniques to obfuscate code better and prevent detection.

The first is what has been described as an "Invalid Compression method value," which was best illuminated to the public in general in a recent Krebs On Security article.

In summary, the technique involves the trojan malware abusing a bug in all Android OS versions. When properly exploited, the attacker corrupts components of an app so that the new addition of malicious code will be ignored as invalid by popular mobile security scanning tools.

In contrast, the app as a whole gets accepted as valid by Android OS and successfully installed. SoumniBot uses the built-in compression method to carry out this task by tricking the Android APK parser, allowing the malicious application to be installed.

The second technique used has been termed "invalid manifest size" and is described by researchers in the SoumniBot case as,

The header of AndroidManifest.xml entry inside the ZIP archive states the size of the manifest file. If the entry is stored uncompressed, it will be copied from the archive unchanged, even if its size is stated incorrectly. The manifest parser ignores any overlay, that is information following the payload that’s unrelated to the manifest. The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest. Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors.

The last technique SoumniBot uses to obfuscate malicious code and help evade detection is "long namespace names." To exploit these techniques and pass malicious code off as safe, the manifest contains very long strings used as the names of XML namespaces.

The manifest ultimately contains strings that become unreadable for both humans and software. Regarding the latter, software may be unable to allocate enough memory to process them. The manifest parser in the OS completely ignores namespaces, so the manifest is handled without errors.

SoumniBot Capabilities

All these obfuscation techniques employed by the malware’s developers are done so that the malware can perform operations intended by the developers. Once malicious payloads are retrieved from servers hosted by the threat actors, these servers are used to send commands and exfiltrate data from a victim’s device.

When the malware is run for the first time, the Trojan hides the app icon to complicate removal and then uploads data in the background from the victim’s device to the main site every 15 seconds.

The data includes the IP address, country deduced from that, contact and account lists, SMS and MMS messages, and the victim’s ID generated with the help of the trust device android library.

One of the more exciting features of the malware is its ability to search for .key and .der files that contain paths to /NPKI/yessign. Often, these file types contain digital certificates issued by Korean banks to their clients, which are used to sign in to online banking services or confirm banking transactions.

Researchers noted that this is relatively uncommon for Android banking malware. While rare, proper use of this technique allows threat actors to empty unwitting victims’ wallets and circumvent authentication methods used by banks to approve transactions.

Kaspersky researchers concluded that,

The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code. We have detailed the techniques used by this Trojan, so that researchers around the world are aware of the tactics, which other types of malware might borrow in the future…To avoid becoming a victim of malware like that, we recommend using a reliable security solution on your smartphone to detect the Trojan and prevent it from being installed despite all its tricks.


▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal