Kaspersky Finds A New Android Trojan Targeting Korean Online Banking Users

Illustration of Android trojans (photo: Kaspersky)

JAKARTA - Kaspersky researchers have just discovered a new Android Trojan banker targeting Korean users, dubbed SoumniBot.

Based on its findings, this malware uses unconventional techniques to bypass detection and steal various victim data, including banking credentials.

As usual, malware makers try to infect as many devices as possible while still hiding. This relentless effort encourages them to develop innovative detection avoidance techniques, said Dmitry Kalinin, Kaspersky researcher.

SoumniBot takes a unique approach by exploiting bugs in the process of extraction and parsing the Android manifest. Android Manifes itself is an important file included in each Android app (APK) package, containing important information about app components, permissions, and other data.

After infecting the device, SoumniBot is secretly operating in the background, collecting a series of victim data including, contact lists, SMS and MMS messages, photos and videos, IP addresses and locations, as well as digital certificates for online banking.

After that, the malware will send the information they managed to steal to a remote server controlled by the attacker.

SoumniBot is targeting digital certificates used by Korean banks, allowing attackers to bypass authentication methods and potentially steal funds from suspicious victims.

"SoumniBot is very worrying because it targets Korean digital certificates for mobile banking, something that rarely happens to mobile malware," concluded Kalinin.