The Evolution of the Android Banking Trojan SOVA
The notorious Android banking Trojan SOVA has resurfaced with new and advanced features, according to recent findings by security researchers at Cleafy.
Origins and Development
SOVA first made its appearance in September 2021, with developers unveiling a roadmap for upcoming updates on the dark web. Despite still being in the testing phase, the malware quickly made its mark in the cybercrime market.
Over the following months, Cleafy identified multiple versions of SOVA, each incorporating features outlined in the initial 2021 development roadmap. These enhancements included 2FA interception, cookie theft, and injections targeting new regions and institutions, such as multiple Philippine banks.
Latest Findings
In July 2022, Cleafy detected a new iteration of SOVA, known as v4, which boasts enhanced capabilities and an expanded target list of over 200 mobile applications, including banking apps and popular crypto exchanges like Binance.
One standout feature of SOVA v4 is its Virtual Network Computing (VNC) capability, a functionality initially mentioned in the malware’s 2021 roadmap. This underscores the continuous evolution and sophistication of the threat actors behind SOVA.
Moreover, the latest version of SOVA can now capture screenshots, record gestures, and execute multiple commands on infected devices. The cookie stealing mechanism has also been refined to target a wider range of Google services and applications, while the malware can now defend itself by intercepting uninstallation attempts.
Further Developments
Cleafy’s advisory also mentions the emergence of a new variant, SOVA v5, which showcases further code optimization, additional features, and revised communication protocols with the command-and-control (C2) server.
Notably, SOVA v5 omits the VNC module but introduces ransomware capabilities, a relatively rare trait in the realm of Android banking trojans. This shift underscores the growing trend of mobile devices as primary repositories for personal and business data, making them lucrative targets for cybercriminals.
As the threat landscape continues to evolve, organizations and individuals must remain vigilant against the ever-changing tactics of malware like SOVA. Implementing robust security measures and staying informed about emerging threats are crucial steps in safeguarding against potential cyber attacks.