SoumniBot: Android Trojan Targets South Korea

A newly detected Android trojan, SoumniBot, has surfaced, targeting users in South Korea. Notable for its unconventional evasion techniques, the malware employs three distinct methods to thwart analysis, primarily by manipulating the Android manifest file.

Firstly, it exploits a flaw in the libziparchive library by using an invalid Compression method value, allowing it to be installed despite being recognized as invalid by some unpackers. Secondly, SoumniBot misrepresents the size of the archived manifest file, tricking parsers into ignoring additional data. Lastly, it employs lengthy XML namespace names, straining analysis tools’ memory allocation.

Upon launch, SoumniBot retrieves configuration information from a hardcoded server, enabling it to send data and receive commands via the MQTT protocol. The malware operates a persistent service, restarting every 16 minutes if terminated, and uploads data every 15 seconds, encompassing device metadata, contacts, SMS messages, media files, and installed apps. Additionally, it possesses functionalities such as contact manipulation, SMS sending, silent mode toggling, and hiding its icon to evade uninstallation. Notably, SoumniBot targets digital certificate files associated with South Korean banks, a tactic uncommon in Android banking malware.

Comparisons can be drawn to a recent campaign by the North Korea-linked Kimusuky group, utilizing a Golang-based information stealer named Troll Stealer to pilfer similar certificates from Windows systems. The overarching goal of such malware creators is to infect devices stealthily, necessitating continuous adaptation to evade detection.


In the case of SoumniBot, its success is attributed to lax validations within the Android manifest parser code. This underscores the perpetual cat-and-mouse game between malware developers and cybersecurity experts, where the former strive for innovation to stay ahead of detection measures.