SOUMNIBOT: Android Trojan Targets Banking Users

A new type of banking malicious software for Android, called “Sournibot”, has been discovered by cybersecurity experts, using a unique method to exploit vulnerabilities in the process of extracting and analyzing Android manifest files. This allows the malware to evade standard security measures and steal sensitive information.

Researchers at Kaspersky Lab have identified and analyzed the technical details of how “Sournibot” exploits the Android platform to analyze and extract APK manifest files.

Dmitry Kalinin, a researcher, explains, “Any APK file is a ZIP archive, where the Androidmanifest.xml file contains information about the application’s components, permissions, and other important data. This file helps the operating system extract information about entry points in the application.”

One of the key features of “SOURNIBOT” is its use of three different manipulation methods with the manifest file, including changing its size and compression to bypass security checks.

  • The first method involves using an abnormal compression value while unpacking the APK manifest, allowing it to bypass standard security checks.
  • The second method involves indicating the wrong size of the manifest file, misleading code analysis tools by adding unnecessary data.
  • The third method utilizes extremely long XML namespace identifiers in the manifest file, making automatic analysis more challenging.

Kaspersky Lab has reported the flaws in Google’s official APK Analyzer utility when working with files that use these bypass methods.

After installation, “Sournibot” retrieves configuration parameters from a predefined server and sends information about the infected device, including the phone number and other data. The malware then initiates a service that transmits data every 15 seconds, including IP addresses, contact lists, account details, messages, photos, videos, and online banking certificates.

The stolen data is sent through an MQTT server, which can also send commands to the infected device, such as adding or removing contacts, sending SMS messages, adjusting call volume, toggling silent mode, and enabling or disabling debugging mode.

/Reports, release notes, official announcements.