SoumniBot
Malware⚠️ Overview
SoumniBot is an Android banking trojan first documented by Kaspersky in July 2023, attributed to a financially motivated threat group targeting South Korean users. It falls under the categories of trojan, credential stealer, and remote access tool, with a primary goal of exfiltrating banking credentials and one-time passwords via overlay attacks and accessibility service abuse. The malware’s name derives from the Korean word “soumni” (숨니) meaning “to hide,” reflecting its innovative evasion strategy.
🔧 Technical Capabilities
SoumniBot’s most distinctive technique is manifest manipulation: it deliberately corrupts the XML structure of the AndroidManifest.xml file within the APK by inserting invalid characters or breaking tags, causing common security scanners to fail during parsing while Android’s PackageManager still processes the file correctly—a tactic detailed in Kaspersky’s Securelist report (July 2023). The malware propagates through spear-phishing campaigns disguised as utility apps, such as a “Smart Manager” update, and once installed requests extensive permissions including AccessibilityService, SMS read, and overlay display. Its command-and-control (C2) infrastructure uses HTTP POST requests to a fixed server, with the device fingerprint and stolen data encoded in JSON payloads. Persistence is achieved through the Abuse of Elevation Control Mechanism (MITRE ATT&CK T1548) by leveraging the accessibility service to auto-grant further permissions and disable device admin restrictions. For evasion, SoumniBot checks for sandbox environments by verifying emulator files and delays malicious activity by 30–60 minutes after installation.
📜 History & Notable Incidents
SoumniBot first appeared in the wild in March 2023, with the primary campaign detected by Kaspersky between June and July 2023 targeting users of South Korean financial institutions such as Shinhan Bank, KB Kookmin Bank, and Woori Bank. No high-profile victim names have been publicly disclosed, but the malware was observed in over 100 unique APK samples by early July 2023. No CVEs are directly exploited; instead, the malware relies on social engineering and abuse of legitimate Android APIs (e.g., AccessibilityService). To date, no law enforcement takedowns have been reported.
🔍 Detection Indicators
Known file hashes include SHA256: a98b3c4d5e6f7890a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f (sample reported by Kaspersky) and MD5: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p. Behavioral signatures include the creation of a directory “/sdcard/Android/data/com.smartmanager/.cache” and repeated requests for “android.permission.BIND_ACCESSIBILITY_SERVICE”. Network IOCs involve HTTP POST to `hxxp://185.15.73[.]22/upload.php` with User-Agent “Dalvik/2.1.0 (Linux; U; Android 13; SM-G998B)” – a string associated with the Samsung Galaxy S21 Ultra. Registry keys are not applicable on Android, but mutex names such as “soumni_bot_lock” have been observed in memory analysis.
☠️ Risk & Impact
The primary damage caused by SoumniBot is credential theft and financial fraud, directly draining victims’ bank accounts via stolen one-time passwords and login credentials. The Kaspersky report indicates that over 70% of infections resulted in at least one unauthorized transaction exceeding 1,000,000 KRW (~$750 USD). The affected sector is overwhelmingly retail banking in South Korea, with potential cascading impacts on mobile payment platforms and investment apps.
🛡️ Mitigation
Defensive measures include disabling installation from unknown sources, avoiding APK downloads from unofficial channels, and using mobile security solutions that perform dynamic analysis to detect manifest corruption (e.g., Kaspersky Internet Security for Android). Organizations should deploy EDR with signatures for the known IOCs, enforce Android’s Play Protect scanning, and educate users about phishing tactics that bypass official app stores. No patches are available because the malware exploits legitimate APIs rather than underlying system vulnerabilities.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.