{
	"id": "00414a04-1453-42cd-ae50-42c2a761b837",
	"created_at": "2026-04-06T00:15:18.534307Z",
	"updated_at": "2026-04-10T13:12:21.50397Z",
	"deleted_at": null,
	"sha1_hash": "6c498515b23b126d5cecaa8a14120306639ff3f8",
	"title": "SoumniBot: the new Android banker’s unique techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 350102,
	"plain_text": "SoumniBot: the new Android banker’s unique techniques\r\nBy Dmitry Kalinin\r\nPublished: 2024-04-17 · Archived: 2026-04-05 15:10:39 UTC\r\nThe creators of widespread malware programs often employ various tools that hinder code detection and analysis,\r\nand Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for\r\nstealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who\r\nattack mobile devices. That said, we recently discovered a new banker, SoumniBot, which targets Korean users\r\nand is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the\r\nAndroid manifest.\r\nSoumniBot obfuscation: exploiting bugs in the Android manifest extraction and\r\nparsing procedure\r\nAny APK file is a ZIP archive with AndroidManifest.xml in the root folder. This file contains information about\r\nthe declared components, permissions and other app data, and helps the operating system to retrieve information\r\nabout various app entry points. Just like the operating system, the analyst starts by inspecting the manifest to find\r\nthe entry points, which is where code analysis should start. This is likely what motivated the developers of\r\nSoumniBot to research the implementation of the manifest parsing and extracion routine, where they found\r\nseveral interesting opportunities to obfuscate APKs.\r\nTechnique 1: Invalid Compression method value\r\nThis is a relatively well-known technique used by various types of malware including SoumniBot and associated\r\nwith the way manifests are unpacked. In libziparchive library, the standard unarchiving function permits only two\r\nCompression method values in the record header: 0x0000 (STORED, that is uncompressed) и 0x0008\r\n(DEFLATED, that is compressed with deflate from the zlib library), or else it returns an error.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 1 of 10\n\nlibziparchive unarchiving algorithm\r\nYet, instead of using this function, the developers of Android chose to implement an alternate scenario, where the\r\nvalue of the Compression method field is validated incorrectly.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 2 of 10\n\nManifest extraction procedure\r\nIf the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the\r\nAndroidManifest.xml entry, it considers the data uncompressed. This allows app developers to put any value\r\nexcept 8 into Compression method and write uncompressed data. Although any unpacker that correctly\r\nimplements compression method validation would consider a manifest like that invalid, the Android APK parser\r\nrecognizes it correctly and allows the application to be installed. The image below illustrates the way the\r\ntechnique is executed in the file b456430b4ed0879271e6164a7c0e4f6e.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 3 of 10\n\nInvalid Compression method value followed by uncompressed data\r\nTechnique 2: Invalid manifest size\r\nLet’s use the file 0318b7b906e9a34427bf6bbcf64b6fc8 as an example to review the essence of this technique. The\r\nheader of AndroidManifest.xml entry inside the ZIP archive states the size of the manifest file. If the entry is\r\nstored uncompressed, it will be copied from the archive unchanged, even if its size is stated incorrectly. The\r\nmanifest parser ignores any overlay, that is information following the payload that’s unrelated to the manifest. The\r\nmalware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results\r\nin overlay, with some of the archive content being added to the unpacked manifest. Stricter manifest parsers\r\nwouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any\r\nerrors.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 4 of 10\n\nThe stated size of the manifest is much larger than its actual size\r\nNote that although live devices interpret these files as valid, apkanalyzer, Google’s own official utility for\r\nanalyzing assembled APKs, cannot handle them. We have notified Google accordingly.\r\nTechnique 3: Long namespace names\r\nThe SoumniBot malware family, for example the file fa8b1592c9cda268d8affb6bceb7a120, has used this\r\ntechnique as well. The manifest contains very long strings, used as the names of XML namespaces.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 5 of 10\n\nVery long strings in the manifest…\r\n…used as namespace names\r\nManifests that contain strings like these become unreadable for both humans and programs, with the latter may\r\nnot be able to allocate enough memory to process them. The manifest parser in the OS itself completely ignores\r\nnamespaces, so the manifest is handled without errors.\r\nWhat’s under the obfuscation: SoumniBot’s functionality\r\nWhen started, the application requests a configuration with two parameters, mainsite и mqtt, from the server,\r\nwhose address being a hardcoded constant.\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 6 of 10\n\nParameter request\r\nBoth parameters are server addresses, which the malware needs for proper functioning. The mainsite server\r\nreceives collected data, and mqtt provides MQTT messaging functionality for receiving commands. If the source\r\nserver did not provide these parameters for some reason, the application will use the default addresses, also stored\r\nin the code.\r\nAfter requesting the parameters, the application starts a malicious service. If it cannot start or stops for some\r\nreason, a new attempt is made every 16 minutes. When run for the first time, the Trojan hides the app icon to\r\ncomplicate removal, and then starts to upload data in the background from the victim’s device to mainsite every\r\n15 seconds. The data includes the IP address, country deduced from that, contact and account lists, SMS and\r\nMMS messages, and the victim’s ID generated with the help of the trustdevice-android library. The Trojan also\r\nsubscribes to messages from the MQTT server to receive the commands described below.\r\n# Description Parameters\r\n0\r\nSends information about the infected device: phone\r\nnumber, carrier, etc., and the Trojan version, followed by\r\nall of the victim’s SMS messages, contacts, accounts,\r\nphotos, videos and online banking digital certificates.\r\n–\r\n1 Sends the victim’s contact list. –\r\n2 Deletes a contact on the victim’s device. data: the name of the contact to delete\r\n3 Sends the victim’s SMS and MMS messages. –\r\n4\r\nA debugging command likely to be replaced with sending\r\ncall logs in a new version.\r\n–\r\n5 Sends the victim’s photos and videos. –\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 7 of 10\n\n8 Sends an SMS message.\r\ndata: ID that the malware uses to\r\nreceive a message to forward. The\r\nTrojan sends the ID to mainsite and\r\ngets message text in return.\r\n24 Sends a list of installed apps. –\r\n30 Adds a new contact on the device.\r\nname: contact name; phoneNum: phone\r\nnumber\r\n41 Gets ringtone volume levels. –\r\n42 Turns silent mode on or off.\r\ndata: a flag set to 1 to turn on silent\r\nmode and to 0 to turn it off\r\n99\r\nSends a pong message in response to an MQTT ping\r\nrequest.\r\n–\r\n100 Turns on debug mode. –\r\n101 Turns off debug mode. –\r\nThe command with the number 0 is worth special mention. It searches, among other things, external storage media\r\nfor .key and .der files that contain paths to /NPKI/yessign.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\npublic static List getAllBankingKeys(Context context) {\r\nList list = new ArrayList();\r\nCursor cursor = context.getContentResolver().query(MediaStore.Files.getContentUri(\"external\"),\r\nnew String[]{\"_id\", \"mime_type\", \"_size\", \"date_modified\", \"_data\"},\r\n\"(_data LIKE \\'%.key\\' OR _data LIKE \\'%.der\\')\", null, null);\r\nint index = cursor == null ? 0 : cursor.getColumnIndexOrThrow(\"_data\");\r\nif (cursor != null) {\r\nwhile (cursor.moveToNext()) {\r\nString s = cursor.getString(index);\r\nIf (!s.contains(\"/NPKI/yessign\")) {\r\ncontinue;\r\n}\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 8 of 10\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nLogger.log(\"path is:\" + s);\r\nlist.add(s);\r\nbreak;\r\n}\r\ncursor.close();\r\n}\r\nreturn list;\r\n}\r\nIf the application finds files like that, it copies the directory where they are located into a ZIP archive and sends it\r\nto the C\u0026C server. These files are digital certificates issued by Korean banks to their clients and used for signing\r\nin to online banking services or confirming banking transactions. This technique is quite uncommon for Android\r\nbanking malware. Kaspersky security solutions detect SoumniBot despite its sophisticated obfuscation techniques,\r\nand assign to it the verdict of Trojan-Banker.AndroidOS.SoumniBot.\r\nConclusion\r\nMalware creators seek to maximize the number of devices they infect without being noticed. This motivates them\r\nto look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to\r\ninsufficiently strict validations in the Android manifest parser code.\r\nWe have detailed the techniques used by this Trojan, so that researchers around the world are aware of the tactics,\r\nwhich other types of malware might borrow in the future. Besides the unconventional obfuscation, SoumniBot is\r\nnotable for stealing Korean online banking keys, which we rarely observe in Android bankers. This feature lets\r\nmalicious actors empty unwitting victims’ wallets and circumvent authentication methods used by banks. To avoid\r\nbecoming a victim of malware like that, we recommend using a reliable security solution on your smartphone to\r\ndetect the Trojan and prevent it from being installed despite all its tricks.\r\nIndicators of compromise\r\nMD5\r\n0318b7b906e9a34427bf6bbcf64b6fc8\r\n00aa9900205771b8c9e7927153b77cf2\r\nb456430b4ed0879271e6164a7c0e4f6e\r\nfa8b1592c9cda268d8affb6bceb7a120\r\nC\u0026C\r\nhttps[://]google.kt9[.]site\r\nhttps[://]dbdb.addea.workers[.]dev\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 9 of 10\n\nSource: https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nhttps://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/"
	],
	"report_names": [
		"112334"
	],
	"threat_actors": [],
	"ts_created_at": 1775434518,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c498515b23b126d5cecaa8a14120306639ff3f8.pdf",
		"text": "https://archive.orkl.eu/6c498515b23b126d5cecaa8a14120306639ff3f8.txt",
		"img": "https://archive.orkl.eu/6c498515b23b126d5cecaa8a14120306639ff3f8.jpg"
	}
}