SoumniBot is a sophisticated malware that mainly tracks banking data stored on Android devices.
SoumniBot is an Android-specific malware that recently caught the attention of cybersecurity experts at Kaspersky. It is designed to exfiltrate sensitive data from devices, particularly focusing on banking information.
Although this malware primarily targets Korean online banking customers, the sophisticated anti-scanning and anti-detection techniques it uses make this new banking Trojan a serious threat to all Android devices. . It is also capable of stealing other personal data, such as your photos, videos or taking control of your mobile.
SoumniBot fools Android APK analyzer to bypass security tools
The Android malware, SoumniBot, uses sophisticated techniques to evade detection and analysis. The files present in each application contain crucial information about the application. SoumniBot manipulates these files to fool security tools.
First, SoumniBot uses an invalid compression value when decompressing the manifest file. This deviates from the standard values expected by the Android library “libziparchive”. The Android APK analyzer, due to a bug, recognizes data as uncompressed by default, allowing the APK to bypass security checks.
Second, SoumniBot misreports the manifest file size in the APK, providing a value larger than the actual figure. The file, marked as uncompressed, is copied directly from the archive, with unwanted “overlay” data making up the difference. This additional data, although ignored by Android, plays a crucial role in confusing code analysis tools.
Third, SoumniBot uses very long strings for XML namespace names in the manifest file. This makes them very difficult to verify by automated analysis tools, which often lack enough memory to process them.
Kaspersky informed Google of the inability of APK Analyzer, the official Android scanning utility, to handle files using these evasion methods and has so far received no response or corrective update.
SoumniBot does damage, but it is detectable and preventable
Once installed on a device, SoumniBot begins collecting information. It establishes a connection with its C&C (Command and Control) server and starts retrieving information such as IP address, geolocation data, list of installed applications, mobile service provider, phone number, lists contacts, accounts, ringtone volume levels, etc.
SoumniBot can also add and remove contacts. It is capable of exfiltrating victims’ SMS and MMS messages, and can even send text messages. Although the latter feature was not used for complex purposes at the time of research, it is relevant to mention that SoumniBot developers could upgrade it to work like Toll Fraud malware.
This program can exfiltrate photos and videos stored on compromised devices. It can switch between silent modes and debug modes.
Although harmful, it is within the reach of all users to detect the presence of SoumniBot like other malware on a mobile such as Gold Pickaxe. If your device is running slowly, you notice a modification of your system settings without your authorization or the appearance of questionable applications, it is very likely that you have downloaded Soumnibot against your will. Ditto if your data is soaring and your battery is draining at high speed.
The best solution remains prevention, Clubic recommends its selection of the best antiviruses for Android.
Source : Bleeping Computer, Kaspersky
4