A new Android banking virus called 'SoumniBot' employs a less prevalent obfuscation technique, attacking flaws in the Android manifest extraction and parsing method.
The approach allows SoumniBot to bypass typical Android security safeguards and steal information.
Kaspersky researchers found and researched the virus, providing technical details on how it exploits the Android procedure to parse and extract APK manifests.
Fooling Android’s Parser
Manifest files ('AndroidManifest.xml') are located in each app's root directory and contain information about components (services, broadcast receivers, content providers), permissions, and app data.
While malicious APKs can employ multiple compression strategies to confuse security programs and elude inspection, Kaspersky analysts discovered that SoumniBot uses three separate methods to bypass parser tests, all of which entail manipulating the manifest file's compression and size.
How the virus works?
First, while unpacking the APK's manifest file, SoumniBot utilizes an erroneous compression number that differs from the normal values (0 or 8) anticipated by the Android 'libziparchive' library assigned to the role.
Rather than rejecting these numbers, the Android APK parser defaults to accepting the data as uncompressed due to a flaw, allowing the APK to evade protection and keep executing on the device.
The second way includes misreporting the size of the manifest file in the APK, providing a value that is greater than the true figure.
Since the file was tagged as uncompressed in the previous step, it is copied directly from the archive, with rubbish "overlay" data filling in the gaps.
According to Kaspersky, while this extra data does not immediately affect the device because Android is configured to disregard it, it does play an important role in misleading code analysis tools.
The third evasion tactic is to use excessively long strings as the names of XML namespaces in the manifest file, making it impossible for automated analysis tools to examine them, as they frequently lack enough capacity to parse them.
Google has been notified by Kaspersky that APK Analyzer, the official analysis tool for Android, cannot handle files that use the aforementioned evasion techniques.
The danger of SoumniBots
At the moment of activation, SoumniBot communicates the infected device's carrier, number, and other profile information, and asks its configuration options from a hardcoded server address.
Next, it creates a malicious service that sends stolen data from the victim every 15 seconds and restarts every 16 minutes if it is interrupted.
IP addresses, contact lists, account information, SMS messages, images, videos, and digital certificates for online banking are among the exfiltrated data.
The techniques by which SoumniBot infiltrates smartphones are unknown, however, they could range from distribution through dubious websites and unofficial Android marketplaces to upgrading legitimate programs in trustworthy repositories with malicious code.
Kaspersky offers a concise collection of compromise indications, comprising malware hashes and two domains utilized by malware operators for command and control operations.