SOVA Android Banking Trojan Returns With New Capabilities And Targets

Hackers develop SOVA android banking trojan with upgraded capabilities to target no less than 200 mobile applications. Encompassing banking apps and crypto exchanges and wallets, up from 90 apps when it started.

According to the latest discoveries from Italian cybersecurity firm Cleary. They found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes.

SOVA Harvest Credentials in Targeted Countries

Steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in September 2021 when it was observed striking financial and shopping apps from the U.S. and Spain.

They were harvesting credentials through overlay attacks by taking advantage of Android’s Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called MaliBot. One the purpose of MaliBot to target online banking and cryptocurrency wallet customers in Spain and Italy

The latest variant of SOVA, dubbed v4 by Cleary, disguises itself within fake applications that feature logos of legitimate apps like Amazon and Google Chrome to deceive users. Other notable improvements include capturing screenshots and recording the device screens.

These features, combined with Accessibility services, enable threat actors to perform gestures and fraudulent activities from the infected device. SOVA v4 is also notable for its effort to gather sensitive information from Binance and Trust Wallet, such as account balances and seed phrases.

New Features Aimed At Loopholes In Android Phones Apps

The malware targeted 13 Russian and Ukraine-based banking apps. However, the authorities removed from the version. The update enables wide-ranging permissions to deflect uninstallation attempts.

Therefore, by redirecting the victim to the home screen and displaying the toast message -This app is secured. The banking trojan, feature-rich as it is, is also expected to incorporate a ransomware component in the next iteration.

However, it is currently under development and aims to encrypt all files stored in the infected device using AES. The enhancement is also likely to make SOVA a formidable threat in the mobile threat landscape.

The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages the opportunity that has arisen in recent years, as mobile devices became the central storage for personal and business data.