Malware

New Android Banking Malware Steals Login Credentials From Shopping & Banking Apps

An Android Trojan has been recently discovered by security experts and, it could enable the threat actors to steals all the personally identifiable data from infected devices, which also include bank credentials, and open the door to perform fraud. 

This trojan is a combination of banking apps, cryptocurrency wallets, and shopping apps and it is currently targetting the US and Spain.

This new Android Banking malware is dubbed as SOVA, and this version of banking malware has myriad features specifically made for:- 

  • Stealing credentials
  • Session cookies through web overlay attacks
  • Logging keystrokes
  • Hiding notifications
  • Managing the clipboard so that they can insert modified cryptocurrency wallet addresses

Moreover, it also has future plans to install fraud on the device through VNC, carry out DDoS attacks, deploy ransomware, and even appropriate two-factor authentication codes.

Functionalities of the bot

This Trojan has come up with some specific functionalities, that we have mentioned below:-

  • Steal Device Data
  • Send SMS
  • Overlay and Cookie injection
  • Overlay and Cookie injection through Push notification
  • USSD execution
  • Credit Card overlays with validity check
  • Hidden interception for SMS
  • Hidden interception for Notifications
  • Keylogger
  • Uninstallation of the app
  • Resilience from uninstallation from victims

Detailed Roadmap of the Features

The threat actors that are conducting this bot are quite proactive in nature, and that’s why they have released a detailed roadmap of the features that were being included in the future releases of S.O.V.A.:-

  • Automatic 3 stage overlay injections
  • Automatic cookie injections
  • Clipboard manipulation
  • DDoS
  • Improved Panel Health
  • Ransomware (with overlay for card number)
  • Man in the Middle (MitM)
  • Normal Push notifications
  • More overlays
  • VNC
  • 2FA interception

Commands list

In this bot, there is a list of commands that can be sent by the C2 to the bot:-

CommandDescription
startddosStart DDoS service
stealerSteal session cookie of a specific app
hidensmsHide received SMS
starthidenpushHide push notifications
delbotDelete the bot from the device
getlogSend key logged data
startkeylogClears key logged data
scaninjectAdds new injects to injects list
stopkeylogSame as startkeylog
openinjectOpen WebView with link provided
stophidenpushStop hiding push notifications
sendpushDisplay Push notification to start WebView Injection
stophidensmsStops hiding received SMS
stopddosStop DDoS service
stopscanStops injects
stealerpushSame as sendpush
sendsmsSend SMS
scancookieAdds package to cookie stealing list (v2)
stopcookieRemoves package names from cookie stealing list (v2)

Abilities

This bot has also some special as well as interesting capabilities that we have mentioned below:-

  • Overlay Attack
  • Session Stealer
  • DDoS
  • Clipper & Cryptocurrency wallets

C2 Communication

Generally, the S.O.V.A. malware depends upon the open-source project of RetroFit for having all kinds of communication with the C2 server. Retrofit is a type-safe REST client that is specifically made for Android, Java, and Kotlin developed by Square.

However, it has a huge library that implements a powerful framework for further authentication as well as for interacting with APIs and sending network requests along with OkHttp.

While this year the experts asserted that the trojan malware is attacking and implementing their operation randomly. But, S.O.V.A. is one of the very new sophisticated malware and it is being used by the threat actors often.

For these reasons the security analysts claimed that this malware is quite dangerous in nature, hence, the victims need to keep themselves safe from this kind of trojan attack.

Found this article interesting!! Follow us on LinkedinTwitterFacebook for daily Cyber Security News & Updates

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

US Department Of Homeland Security Terminates Entire Advisory Committees

In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…

4 hours ago

Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025

The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…

10 hours ago

Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited

A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…

10 hours ago

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…

10 hours ago

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…

11 hours ago

Ex-CIA Analyst Pleads Guilty To Leaking National Defense Information

A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…

13 hours ago