A new Android banking virus called ‘SoumniBot’ employs a less prevalent obfuscation technique, attacking flaws in the Android manifest extraction and parsing method.
The approach allows SoumniBot to bypass typical Android security safeguards and steal information.
Kaspersky researchers found and researched the virus, providing technical details on how it exploits the Android procedure to parse and extract APK manifests.
Fooling Android’s Parser
Manifest files (‘AndroidManifest.xml’) are located in each app’s root directory and contain information about components (services, broadcast receivers, content providers), permissions, and app data.
While malicious APKs can employ multiple compression strategies to confuse security programs and elude inspection, Kaspersky analysts discovered that SoumniBot uses three separate methods to bypass parser tests, all of which entail manipulating the manifest file’s compression and size.
How the virus works?
First, while unpacking the APK’s manifest file, SoumniBot utilizes an erroneous compression number that differs from the norma
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: