SoumniBot obfuscation: exploiting bugs in the Android manifest extraction and parsing procedure
In the ever-evolving landscape of mobile malware, cybercriminals are constantly seeking new methods to conceal their nefarious code. A prime example of such ingenuity is the discovery of SoumniBot, a new banker malware that specifically targets Korean users. Its developers have adopted a crafty technique to avoid detection: obfuscating the Android manifest, a critical component in the architecture of Android applications.
An APK file, essentially a ZIP archive, contains an AndroidManifest.xml at its root. This manifest is pivotal, detailing the app’s components, permissions, and other essential data. Analysts typically begin their investigation by examining the manifest to identify the app’s entry points. It appears that the creators of SoumniBot meticulously studied the manifest parsing and extraction routine, uncovering several opportunities to muddle APKs.
Technique 1: Invalid Compression method value
One of the obfuscation techniques involves exploiting the libziparchive library’s unarchiving function, which only acknowledges two specific Compression method values. However, Android developers implemented an alternate scenario where the Compression method field is not correctly validated. This loophole allows developers to use any value other than the expected DEFLATED value and still pass uncompressed data. While a correctly functioning unpacker would reject such a manifest, Android’s APK parser accepts it, allowing the application to install successfully.
Technique 2: Invalid manifest size
Another intriguing technique involves declaring an incorrect size for the AndroidManifest.xml entry within the ZIP archive. If the entry is uncompressed, it is copied as is, regardless of the stated size. The malware takes advantage of this by stating a size larger than the actual manifest, resulting in additional archive content being appended to the unpacked manifest. While stricter parsers would fail to read such a file, Android’s parser processes the invalid manifest without issue.
Technique 3: Long namespace names
The SoumniBot malware also employs excessively long strings as XML namespace names within the manifest. This can render the manifest unreadable for both humans and software, potentially causing the latter to fail due to memory allocation issues. However, the OS manifest parser overlooks namespaces, hence processing the manifest without errors.
What’s under the obfuscation: SoumniBot’s functionality
Beneath its obfuscation techniques, SoumniBot’s functionality is focused on data exfiltration and command execution. Upon launch, it requests configuration parameters from a hardcoded server address. These parameters include server addresses for data collection and MQTT messaging for command reception. If the server fails to provide these parameters, default addresses embedded in the code are used.
Once operational, SoumniBot initiates a malicious service, attempting to restart every 16 minutes if it encounters any issues. Initially, it hides its app icon to hinder removal and begins uploading data from the victim’s device to the mainsite server at regular intervals. This data encompasses a wide range of personal information, including contact lists, messages, and even digital banking certificates. The malware also listens for commands from the MQTT server, which can instruct it to perform various actions, such as sending SMS messages, deleting or adding contacts, and more.
Notably, SoumniBot searches for digital certificates used for online banking, which are rarely targeted by Android banking malware. This capability allows cybercriminals to potentially bypass banking authentication methods and access victims’ funds directly.
Despite SoumniBot’s sophisticated obfuscation, security solutions like those from Kaspersky can detect and prevent the installation of this Trojan. The discovery of these techniques is crucial for the cybersecurity community, as they may be adopted by other malware in the future. Users are advised to employ reliable security solutions on their smartphones to safeguard against such threats.
