SOVA Android Banking Trojan Returns With New Capabilities and Targets

SOVA Android Banking Trojan Returns With New Capabilities and Targets

The SOVA Android banking trojan is continuous to be actively developed with upgraded capabilities to focus on a minimum of 200 cellular purposes, together with banking apps and crypto exchanges and wallets, up from 90 apps when it began out.

That is in accordance with the newest findings from Italian cybersecurity agency Cleafy, which discovered newer variations of the malware sporting performance to intercept two-factor authentication (2FA) codes, steal cookies, and develop its focusing on to cowl Australia, Brazil, China, India, the Philippines, and the U.Okay.

SOVA, which means Owl in Russian, got here to gentle in September 2021 when it was noticed hanging monetary and procuring apps from the U.S. and Spain for harvesting credentials by overlay assaults by making the most of Android’s Accessibility companies.


In lower than a 12 months, the trojan has additionally acted as a basis for an additional Android malware known as MaliBot that is designed to focus on on-line banking and cryptocurrency pockets prospects in Spain and Italy.

The most recent variant of SOVA, dubbed v4 by Cleafy, conceals itself inside faux purposes that function logos of professional apps like Amazon and Google Chrome to deceive customers into putting in them. Different notable enhancements embrace capturing screenshots and recording the gadget screens.

SOVA Android Banking Trojan

“These options, mixed with Accessibility companies, allow [threat actors] to carry out gestures and, consequently, fraudulent actions from the contaminated gadget, as we’ve got already seen in different Android Banking Trojans (e.g. Oscorp or BRATA),” Cleafy researchers Francesco Iubatti and Federico Valentini said.

SOVA v4 can be notable for its effort to assemble delicate info from Binance and Belief Pockets, equivalent to account balances and seed phrases. What’s extra, all of the 13 Russian and Ukraine-based banking apps that had been initially focused by the malware have since been faraway from the model.


To make issues worse, the replace allows the malware to leverage its wide-ranging permissions to deflect uninstallation makes an attempt by redirecting the sufferer to the house display and displaying the toast message “This app is secured.”

The banking trojan, feature-rich as it’s, can be anticipated to include a ransomware part within the subsequent iteration, which is presently underneath growth and goals to encrypt all recordsdata saved within the contaminated gadget utilizing AES and rename them with the extension “.enc.” The enhancement is more likely to make SOVA a formidable risk within the cellular risk panorama.

“The ransomware function is kind of attention-grabbing because it’s nonetheless not a standard one within the Android banking trojans panorama,” the researchers mentioned. “It strongly leverages on the chance that has arisen in recent times, as cellular units turned for most individuals the central storage for private and enterprise information.”