Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Stealthy new banking malware spotted targeting Korean users

Novel SoumniBot malware takes advantage of Android manifest bugs to avoid detection.

user icon David Hollingworth
Mon, 22 Apr 2024
Stealthy new banking malware spotted targeting Korean users
expand image

Security researchers at Kaspersky have observed a new banking malware in circulation – and a particularly clever one at that.

It’s also rare in that it is only aimed at stealing the online banking keys of Korean users.

Dubbed SoumniBot by Kaspersky, the malware was only “recently discovered”, though no specific date range is given. Kaspersky does not go into any detail on how the malware is being spread.

============
============

But it’s how the malware obfuscates itself that has caught the attention of Kaspersky’s researchers.

“The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception,” said Kaspersky researcher Dmitry Kalinin in a blog post. “As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices.

“That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.”

The Android manifest contains metadata about Android apps, including application entry points. SoumniBot takes advantage of this functionality in three ways: by using an invalid compression method value, an invalid manifest size, and long namespace names.

The first method is relatively common for many kinds of malware and involves the fact that the Android Application Kit uses an unusual unarchiving function. Rather than recognising two states – DEFLATED (0x0008), which is compressed, or STORED (0x0000), which is uncompressed – the Android APK only recognises DEFLATED. Any other value is considered compressed.

“This allows app developers to put any value except 8 into Compression method and write uncompressed data,” Kaspersky said. “Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognises it correctly and allows the application to be installed.”

The second technique, invalid manifest size, relies on another quirk of the Android manifest – namely what it does when a compressed app’s size does not match its manifest entry. Any information outside that value creates what is called an overlay. While more strict parsers would be incapable of reading such a file, the Android manifest simply ignores the discrepancy.

“The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest,” Kaspersky said.

Lastly, SoumniBot takes advantage of long namespace names – XML files with a string of characters so long that it takes simply too much memory to even read. But since the Android OS’s parser ignores that namespace completely, it handles such a manifest without throwing any errors.

Once installed, the malware hides its app icon, making removing the app even if it is spotted that much harder, and begins to upload data to the malware’s server infrastructure from the infected device, doing so every fifteen seconds. If the app is somehow stopped from running, it attempts to restart itself every 16 seconds.

The malware can collect IP addresses, and thus the country of the device, contact lists, phone messages, and a unique ID from Android’s own trustdevice-android library. It can also receive messages from its C&C infrastructure, allowing for several remote commands to be executed, including turning silent mode and the above functions.

Command 0 is, according to Kaspersky, worth a special mention.

“It searches, among other things, external storage media for .key and .der files that contain paths to /NPKI/yessign,” Kaspersky said.

“If the application finds files like that, it copies the directory where they are located into a ZIP archive and sends it to the C&C server. These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions.”

With these details, the threat actors behind SoumniBot can empty entire bank accounts.

The combination of such a specific target and its obfuscation methods makes SoumniBot a rare beast, according to Kaspersky; the security company has not attributed its use to any specific threat actor, however.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.