The new Android trojan 'SoumniBot' evades detection by using clever tricks in the manifest extraction and parsing process.
- SoumniBot uses invalid Compression method values to write uncompressed data in the manifest file, tricking the Android APK parser.
- The trojan misrepresents the manifest file size, causing the parser to ignore the 'overlay' data and only copy the 'uncompressed' file.
- SoumniBot utilizes long XML namespace names in the manifest file to make it difficult for analysis tools to allocate enough memory.
- The malware searches for digital certificates issued by Korean banks, a technique uncommon for Android banking malware.
- SoumniBot is designed to collect and send sensitive information, manipulate device settings, and evade detection by hiding its icon.