New Android Banking Malware Steals Login Credentials From Shopping & Banking Apps

An Android Trojan has been recently discovered by security experts and, it could enable the threat actors to steals all the personally identifiable data from infected devices, which also include bank credentials, and open the door to perform fraud. 

This trojan is a combination of banking apps, cryptocurrency wallets, and shopping apps and it is currently targetting the US and Spain.

This new Android Banking malware is dubbed as SOVA, and this version of banking malware has myriad features specifically made for:- 

  • Stealing credentials
  • Session cookies through web overlay attacks
  • Logging keystrokes
  • Hiding notifications
  • Managing the clipboard so that they can insert modified cryptocurrency wallet addresses

Moreover, it also has future plans to install fraud on the device through VNC, carry out DDoS attacks, deploy ransomware, and even appropriate two-factor authentication codes.

Functionalities of the bot

This Trojan has come up with some specific functionalities, that we have mentioned below:-

  • Steal Device Data
  • Send SMS
  • Overlay and Cookie injection
  • Overlay and Cookie injection through Push notification
  • USSD execution
  • Credit Card overlays with validity check
  • Hidden interception for SMS
  • Hidden interception for Notifications
  • Keylogger
  • Uninstallation of the app
  • Resilience from uninstallation from victims

Detailed Roadmap of the Features

The threat actors that are conducting this bot are quite proactive in nature, and that’s why they have released a detailed roadmap of the features that were being included in the future releases of S.O.V.A.:-

  • Automatic 3 stage overlay injections
  • Automatic cookie injections
  • Clipboard manipulation
  • DDoS
  • Improved Panel Health
  • Ransomware (with overlay for card number)
  • Man in the Middle (MitM)
  • Normal Push notifications
  • More overlays
  • VNC
  • 2FA interception

Commands list

In this bot, there is a list of commands that can be sent by the C2 to the bot:-

startddosStart DDoS service
stealerSteal session cookie of a specific app
hidensmsHide received SMS
starthidenpushHide push notifications
delbotDelete the bot from the device
getlogSend key logged data
startkeylogClears key logged data
scaninjectAdds new injects to injects list
stopkeylogSame as startkeylog
openinjectOpen WebView with link provided
stophidenpushStop hiding push notifications
sendpushDisplay Push notification to start WebView Injection
stophidensmsStops hiding received SMS
stopddosStop DDoS service
stopscanStops injects
stealerpushSame as sendpush
sendsmsSend SMS
scancookieAdds package to cookie stealing list (v2)
stopcookieRemoves package names from cookie stealing list (v2)


This bot has also some special as well as interesting capabilities that we have mentioned below:-

  • Overlay Attack
  • Session Stealer
  • DDoS
  • Clipper & Cryptocurrency wallets

C2 Communication

Generally, the S.O.V.A. malware depends upon the open-source project of RetroFit for having all kinds of communication with the C2 server. Retrofit is a type-safe REST client that is specifically made for Android, Java, and Kotlin developed by Square.

However, it has a huge library that implements a powerful framework for further authentication as well as for interacting with APIs and sending network requests along with OkHttp.

While this year the experts asserted that the trojan malware is attacking and implementing their operation randomly. But, S.O.V.A. is one of the very new sophisticated malware and it is being used by the threat actors often.

For these reasons the security analysts claimed that this malware is quite dangerous in nature, hence, the victims need to keep themselves safe from this kind of trojan attack.

Found this article interesting!! Follow us on LinkedinTwitterFacebook for daily Cyber Security News & Updates

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

8 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

12 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

15 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

16 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

17 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

18 hours ago