A new type of Android malware named SoumniBot has been discovered, targeting users in South Korea. The malware uses clever tricks to evade detection, including misrepresenting the manifest file size and hiding its icon after installation. SoumniBot is notable for its unconventional approach to bypassing validation checks in the Android APK parser.
Android apps come with a manifest XML file that declares their components, permissions, and hardware and software requirements. Threat hunters typically begin their analysis by inspecting the app's manifest file to determine its behavior. However, SoumniBot uses an invalid compression method value when unpacking its manifest file.
The standard unarchiving function in the libziparchive library only allows specific values for the Compression method in the record header: 0x0000 (STORED) and 0x0008 (DEFLATED). However, Android developers have chosen to provide a different scenario where they check the Compression method value incorrectly, allowing uncompressed data to be written.
SoumniBot also misreports the size of its manifest file in the APK header. The AndroidManifest.xml entry's size is indicated inaccurately, but it will be copied from the archive unaltered if stored uncompressed.
The manifest parser ignores any overlay or information after the payload that isn't connected to the manifest. SoumniBot exploits this by adding some of the archive content to the unpacked manifest due to its reported size exceeding its real size.
Finally, SoumniBot uses very long strings for XML namespace names in its manifest file, making it difficult for automated analysis tools to check them.
Once installed, SoumniBot remains active in the background and uploads data from the victim's device. It is essential to be aware of these techniques and protect your devices accordingly.