SOVA Android Banking Malware

The Android banking Trojan SOVA (“Owl” in Russian) was under active development since September 2021. Reports say multiple versions of SOVA were found in March 2022 and some of these features were already implemented, which include 2FA interception, cookie stealing, and injections for new targets and countries like multiple Philippine banks.

At present, SOVA malware is back with updated capabilities and a new version in development that contains a ransomware module.

 “We discovered a new version of SOVA (v4) which presents new capabilities and seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets”, Cleafy

Researchers at Cleafy mention that Spain appears to be the country most targeted by malware, followed by the Philippines and the US.

What is New in SOVA (v4)?

The SOVA v4 malware is hidden within fake Android applications that show up with the logo of popular apps, like Chrome, Amazon, NFT platform, or others.

Main icons used by SOVA v4 (Cleafy)

Further, the new version is updated with new codes which are related to the VNC capability. The threat actors can take screenshots of the infected devices, to retrieve more information from the victims. Moreover, the malware can record and obtain any sensitive information. It allows an attacker to look for ways to move around to other systems or applications that might be more beneficial.

Casting/Recording feature of SOVA v4 (Cleafy)

In SOVA v4, the cookie stealer mechanism was refactored and improved. Here, threat actors specify a complete list of Google services that they are interested to steal (e.g. Gmail, GPay, and Google Password Manager), and a list of other applications. Also for each of the stolen cookies, SOVA will also collect additional information such as “is httpOnly”, its expiration date, etc.

The next new feature in SOVA v4 is the refactoring of its “protections” module intended to protect itself from different victim’s actions.
“Protections” code comparison between SOVA v3 and v4 (Cleafy)

Researchers say SOVA uses the .apk just to unpack a .dex file which contains the real malicious functionalities of the malware. In SOVA v4, an entirely new module was dedicated to the Binance exchange and the Trust Wallet (official crypto wallet of Binance).

Particularly, threat actors intend to get information, like the balance of the account, different actions performed by the victim inside the app and, finally, even the seed phrase (a collection of words) used to access the crypto wallet.

A Ransomware Module to Encrypt Files

The threat actors encrypt the files inside the infected devices through an AES algorithm and rename them with the extension “.enc”.

“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data.” Cleafy

SOVA's new ransomware module
SOVA’s new ransomware module (Cleafy)

The most attractive feature added in SOVA v5 is the ransomware module that was announced in the roadmap of September 2021.

“With the discovery of SOVA v4 and SOVA v5, we uncovered new evidence about how TAs is constantly improving their malware and the C2 panel, honoring the published roadmap.

Although the malware is still under development, it’s ready to carry on fraudulent activities at scale”, Concludes Cleafy Team.

Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.