SoumniBot¶
SoumniBot is a Korean banking trojan that exploits weaknesses in Android's manifest parsing to evade static analysis tools. Kaspersky published the analysis in April 2024, documenting three novel manifest obfuscation techniques that exploit differences between how build tools validate the AndroidManifest.xml and how the Android OS actually parses it. The malware steals SMS messages, contacts, banking certificates (NPKI), and photos from South Korean banking users.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2024 |
| Last Seen | Active |
| Status | Active |
| Type | Banking trojan, credential stealer |
| Attribution | Unknown; targets South Korea exclusively |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.SoumniBot |
| AhnLab | Trojan/Android.Banker.SoumniBot |
| McAfee | Android/Banker.SoumniBot |
Origin and Lineage¶
SoumniBot is independently developed with no known code lineage to other banking trojan families. Its significance lies not in its operational capabilities (which are standard for Korean banking trojans) but in its manifest obfuscation techniques, which represent a novel evasion category affecting static analysis tools including jadx, apktool, and the Android system's own manifest parser.
The family operates in the same Korean banking threat space as Fakecalls and SpyAgent.
Distribution¶
| Vector | Details |
|---|---|
| Smishing | SMS messages impersonating Korean banking services |
| Fake banking apps | APKs disguised as legitimate Korean banking applications |
| Third-party stores | Distribution through Korean third-party app repositories |
Capabilities¶
| Capability | Description |
|---|---|
| SMS interception | Reads and forwards SMS including banking OTPs |
| Contact theft | Exfiltrates full contact list |
| NPKI certificate theft | Steals Korean banking authentication certificates (NPKI digital certificates stored on device) |
| Photo exfiltration | Uploads photos from device storage |
| Device info collection | IMEI, phone number, operator, installed apps |
| Manifest obfuscation | Three novel techniques to evade static analysis |
NPKI Certificate Theft¶
South Korean banking relies heavily on NPKI (National Public Key Infrastructure) digital certificates stored locally on devices for transaction authentication. SoumniBot specifically targets these certificate files, which are typically stored in the device's /NPKI/ directory. Stolen NPKI certificates combined with captured credentials enable unauthorized banking transactions.
Technical Details¶
Manifest Obfuscation¶
The core technical innovation documented by Kaspersky:
Technique 1: Invalid Compression Method¶
The AndroidManifest.xml inside the APK (ZIP) uses an invalid compression method value in the ZIP entry header. Android's libziparchive defaults to uncompressed extraction when encountering an unknown method, but analysis tools that strictly validate compression methods fail to parse the manifest.
Technique 2: Invalid Manifest Size¶
The manifest's declared size in the ZIP entry header does not match its actual size. Android's parser reads the file normally regardless, but tools that validate size consistency either crash or produce corrupt output.
Technique 3: Long Namespace Names¶
XML namespace strings of excessive length (hundreds of thousands of characters) are inserted into the manifest. This causes analysis tools to allocate excessive memory when rendering the manifest, often leading to crashes or timeouts. Android's parser handles the long strings without issue.
Impact on Analysis Tools¶
| Tool | Effect |
|---|---|
| jadx | Fails to parse manifest with invalid compression |
| apktool | Errors on size mismatch, produces incomplete output |
| AAPT/AAPT2 | Handles some techniques but struggles with long namespaces |
| Android OS | Parses all three techniques correctly, installs and runs the app |
These techniques specifically target the gap between how analysis tools and the Android OS parse the same file. The malware is fully functional on devices but breaks standard reverse engineering workflows.
C2 Communication¶
- HTTP-based C2
- Dynamic C2 server addresses retrieved from configuration
- Exfiltrated data (SMS, certificates, photos) uploaded via multipart HTTP POST
- Commands received via JSON polling
Target Regions¶
| Region | Details |
|---|---|
| South Korea | Exclusive target, Korean banking focus |
SoumniBot targets major South Korean banks and financial institutions. The NPKI certificate theft specifically targets the Korean digital certificate infrastructure, which has no direct equivalent in other countries.
Notable Campaigns¶
2024, April: Kaspersky publishes SoumniBot analysis, documenting three novel manifest obfuscation techniques. Google is notified about the parser exploitation techniques. The research directly impacts the static analysis community by highlighting that standard tools may fail to parse deliberately malformed manifests.