New Android banking malware “SoumniBot” threatens South Korean users

A sophisticated new Android malware, known as SoumniBot, has caused concern among South Korean users for its ingenious obfuscation techniques, which allow it to evade detection systems and put users' sensitive data, such as banking data, at risk.

According to researchers at Kaspersky, SoumniBot exploits vulnerabilities in the way Android apps interpret the Android manifest file, which allows him to conceal his true nature and operate unnoticed. This malware employs several obfuscation tactics, including manipulating the compression method value and manifest size, as well as using extremely long names, making it difficult for scanners to detect its presence.

Once installed, SoumniBot requests configuration parameters from a hardcoded server and launches a malicious service on the user's device. Additionally, the malware can detect and extract digital certificates used by Korean banks for online banking services, allowing attackers to conduct fraudulent transactions.

Among the malicious actions performed by SoumniBot is sending sensitive information of the infected devicesuch as phone number and Trojan version, as well as the transmission of SMS messages, contacts, accounts, photos, videos and bank digital certificates victim's online. These certificates are crucial for online banking and transaction verification, making their theft particularly harmful.

The malware can also delete contacts on the device, add new contacts, obtain ringtone volume levels, and send the list of installed apps.

Additionally, SoumniBot connects to a message queuing telemetry transport (MQTT) server, making it easier to communicate with remote attackers and receive malicious commands.

With his ability to obfuscate his malevolent actions and to target Korean banking credentials, SoumniBot poses a significant threat to South Korean Android users. The advice to users for this type of attack, although this one in particular seems to be located only in South Korea at the moment, is always to be careful when installing apps from untrusted sources.