New Android Malware SoumniBot Evades Detection with Invalid Manifest File Size and Uncompressed Data

Seoul, South Korea Korea (Republic of)
Long strings for XML namespace names make it difficult for analysis tools to check
Malware uses invalid manifest file size and uncompressed data to evade detection
New Android malware named SoumniBot discovered targeting users in South Korea
SoumniBot misreports manifest file size in APK header and adds extra content to unpacked manifest
New Android Malware SoumniBot Evades Detection with Invalid Manifest File Size and Uncompressed Data

A new type of Android malware named SoumniBot has been discovered, targeting users in South Korea. The malware uses clever tricks to evade detection, including misrepresenting the manifest file size and hiding its icon after installation. SoumniBot is notable for its unconventional approach to bypassing validation checks in the Android APK parser.

Android apps come with a manifest XML file that declares their components, permissions, and hardware and software requirements. Threat hunters typically begin their analysis by inspecting the app's manifest file to determine its behavior. However, SoumniBot uses an invalid compression method value when unpacking its manifest file.

The standard unarchiving function in the libziparchive library only allows specific values for the Compression method in the record header: 0x0000 (STORED) and 0x0008 (DEFLATED). However, Android developers have chosen to provide a different scenario where they check the Compression method value incorrectly, allowing uncompressed data to be written.

SoumniBot also misreports the size of its manifest file in the APK header. The AndroidManifest.xml entry's size is indicated inaccurately, but it will be copied from the archive unaltered if stored uncompressed.

The manifest parser ignores any overlay or information after the payload that isn't connected to the manifest. SoumniBot exploits this by adding some of the archive content to the unpacked manifest due to its reported size exceeding its real size.

Finally, SoumniBot uses very long strings for XML namespace names in its manifest file, making it difficult for automated analysis tools to check them.

Once installed, SoumniBot remains active in the background and uploads data from the victim's device. It is essential to be aware of these techniques and protect your devices accordingly.



Confidence

100%

No Doubts Found At Time Of Publication

Sources

95%

  • Unique Points
    • SoumniBot is a new Android banker targeting Korean users with unique obfuscation techniques.
    • SoumniBot uses long strings as namespace names, making the manifests unreadable for both humans and programs.
    • Technique 1: Invalid Compression method value - this is used by SoumniBot to invalidate compression method validation, allowing for uncompressed data to be added to the manifest.
    • Technique 2: Invalid manifest size - this technique involves adding excess data to the manifest, which can be handled by Android but not by stricter parsers.
    • SoumniBot searches for .key and .der files containing paths to /NPKI/yessign on external storage media.
  • Accuracy
    • SoumniBot is a new Android banker targeting Korean users.
    • SoumniBot uses three different methods that involve manipulation of the manifest file's compression and size to bypass parser checks.
    • Once installed, SoumniBot remains active in the background and uploads data from the victim's device.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (85%)
    The article by Dmitry Kalinin contains three fallacies: Technique 1: Invalid Compression method value and Technique 2: Invalid manifest size are examples of formal fallacies as they involve a misuse or misunderstanding of the rules or procedures involved. The third fallacy, Long namespace names, is an example of a dicotomous depiction as it creates an unfair contrast between human and program capabilities in handling long strings. However, since there are only three examples provided and no repetition of fallacies, the score is 85.
    • The developers of Android chose to implement an alternate scenario, where the value of the Compression method field is validated incorrectly.
    • The manifest parser ignores any overlay, that is information following the payload that’s unrelated to the manifest. The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest.
    • Very long strings in the manifest… used as namespace names
  • Bias (95%)
    The author demonstrates a technical analysis of an Android malware named SoumniBot. While the article is informative and neutral in tone, the author's bias becomes apparent when discussing the implications of SoumniBot's techniques. The author expresses disapproval towards the creators of this malware for attempting to maximize their number of victims without being detected, implying a negative view towards their actions. This is an example of moralistic bias.
    • Malware creators seek to maximize the number of devices they infect without being noticed.
      • This motivates them to look for new ways of complicating detection.
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      98%

      • Unique Points
        • SoumniBot malware exploits Android bugs to evade detection.
        • SoumniBot uses three different methods that involve manipulation of the manifest file’s compression and size to bypass parser checks.
        • First, SoumniBot uses an invalid compression value when unpacking the APK’s manifest file, which diverges from the standard values expected by Android’s libziparchive library.
        • Second, SoumniBot misreports the size of the manifest file in the APK, supplying a value larger than the actual figure.
        • Third, SoumniBot uses very long strings for the names of XML namespaces in the manifest file, making it difficult for automated analysis tools to check them.
      • Accuracy
        • The malware was discovered and analyzed by Kaspersky researchers.
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (95%)
        No formal fallacies found. However, there are a few informal fallacies and dichotomous depictions present in the article.
        • . The malware was discovered and analyzed by Kaspersky researchers, who provide the technical details on the methods the malware uses to take advantage of the Android routine to parse and extract APK manifests.
        • ...while it is unclear how SoumniBot reaches devices...
        • It is unclear how SoumniBot reaches devices but methods may vary from distribution over third-party Android stores and unsafe websites to updating with malicious code legitimate apps in trusted repositories.
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      100%

      • Unique Points
        • A new Android malware named SoumniBot has been discovered and is targeting users in South Korea.
        • SoumniBot uses clever tricks to avoid detection, including misrepresenting the manifest file size and hiding its icon after installation.
        • SoumniBot is notable for its unconventional approach to evading analysis and detection, as it can bypass validation checks in the Android APK parser.
        • Once installed, SoumniBot remains active in the background and uploads data from the victim’s device.
      • Accuracy
        No Contradictions at Time Of Publication
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (100%)
        None Found At Time Of Publication
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      99%

      • Unique Points
        • SoumniBot is a new banker targeting Korean users.
        • It uses an unusual method to evade investigation and detection, notably obfuscating the Android manifest.
        • The creators of SoumniBot succeeded due to insufficient validation in the Android manifest parser code.
        • Long strings representing XML namespaces make manifests unreadable for people and programs.
      • Accuracy
        • The malware can steal Korean online banking keys.
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (100%)
        None Found At Time Of Publication
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication