- April 19, 2024
- Posted by: administrator
- Category: Google
A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure.
The malware is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest,” Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file (“AndroidManifest.xml”) that’s located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.
Knowing that threat hunters typically commence their analysis by inspecting the app’s manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging.
The first method involves the use of an invalid Compression method value when unpacking the APK’s manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.
“This allows app developers to put any value except 8 into the Compression method and write uncompressed data,” Kalinin explained.
“Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed.”
It’s worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the “uncompressed” file is directly copied, with the manifest parser ignoring the rest of the “overlay” data that takes up the rest of the available space.
“Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors,” Kalinin said.
The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.
SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.
It’s designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android’s debug mode, not to mention hiding the app icon to make it harder to uninstall from the device.
NOTE:: This article is copyright by thehackernews.com and we are using it for educational or Information purpose only.