A brand-new Android banking virus was discovered that stole data by taking advantage of flaws in the Android manifest extraction and parsing process. By using an Android function to parse and extract APK manifests—which are used to specify an application’s structure and keep its metadata—the virus is reportedly able to get beyond common security precautions found in Android.
It was discovered that the malware may collect user data such as digital certificates for online banking, contact lists, IP addresses, account information, SMS messages, and images and videos. It was discovered that the malware could execute orders to carry out destructive actions and could be remotely controlled through a server. These include sending an SMS message, adjusting the volume of ringtones, adding or removing contacts, and turning on and off a device’s debug mode.
Although the exact mechanism of device infection is unknown, experts speculate that the malware might be scanning devices through dubious websites and unofficial Android marketplaces. Additionally, according to researchers, upgrades for apps that contain malicious code in legitimate apps could potentially disseminate the infection.
Researchers from Kaspersky discovered that the malware can employ malicious APKs to trick security tools and avoid inspection when they first discovered and examined it. According to additional research, the virus employs three distinct strategies to evade Android operating system inspections, including tampering with the manifest file’s size and compression.
Similar to numerous malevolent Android applications, the malware conceals its icon upon installation on a device, hence increasing the difficulty of its removal and detection. It does, however, continue to operate in the background, giving threat actors access to the stolen data.
Tricking the parser
The parser Manifest files for Android, known as “AndroidManifest.xml,” are found in the root directory of every application and include information about the components (services, broadcast receivers, content providers), permissions, and app data.
Malicious APKs can dodge detection and mislead security scanners using a variety of Zimperium compression tricks, but Kaspersky analysts discovered that SoumniBot used three distinct techniques, which manipulate the manifest file’s size and compression, to get beyond parser tests.
Initially, SoumniBot deviates from the standard values (0 or 8) anticipated by the Android ‘libziparchive’ library assigned with the task by using an erroneous compression value when unpacking the APK’s manifest file.
The Android APK parser defaults to interpreting the data as uncompressed because of a flaw, enabling the APK to evade security checks and continue running on the device rather of treating these values as inappropriate.
