The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out.
That’s according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, and China, India, the Philippines, and the U.K.
SOVA, meaning Owl in Russian, came to light in September 2021 when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android’s Accessibility services.
In less than a year, the trojan has also acted as a foundation for another Android malware called MaliBot that’s designed to target online banking and cryptocurrency wallet customers in Spain and Italy.
The latest variant of SOVA, dubbed v4 by Cleafy, conceals itself within fake applications that feature logos of legitimate apps like Amazon and Google Chrome to deceive users into installing them. Other notable improvements include capturing screenshots and recording the device screens.
“These features, combined with Accessibility services, enable [threat actors] to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA),” Cleafy researchers Francesco Iubatti and Federico Valentini said.
SOVA v4 is also notable for its effort to gather sensitive information from Binance and Trust Wallet, such as account balances and seed phrases. What’s more, all the 13 Russian and Ukraine-based banking apps that were targeted by the malware have since been removed from the version.
To make matters worse, the update enables the malware to leverage its wide-ranging permissions to deflect uninstallation attempts by redirecting the victim to the home screen and displaying the toast message “This app is secured.”
The banking trojan, feature-rich as it is, is also expected to incorporate a ransomware component in the next iteration, which is currently under development and aims to encrypt all files stored in the infected device using AES and rename them with the extension “.enc.”
The enhancement is also likely to make SOVA a formidable threat in the mobile threat landscape.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape,” the researchers said. “It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data.”
Suggest an edit to this article
Go to Cybersecurity Knowledge Base
Got to the Latest Cybersecurity News
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
