The SOVA Android banking trojan employed new attack upgrades

August 25, 2022
SOVA Android Banking Trojan Financial Malware Cyberattack Data Exfiltration Online Banking

The SOVA Android banking trojan has upgraded itself with additional code improvements and new features to make its attacks more efficient. Based on reports, this banking trojan has devised a new ransomware module in its attacks to encrypt files on its targeted Android devices.

The newly upgraded evolution of SOVA enables its operators to target more than 200 digital wallets, cryptocurrency exchange apps, and mobile banking entities. The Android banking trojan can also attempt to exfiltrate, steal, encrypt, and lock saved cookies and essential data from its target.

The latest version also includes a ransomware module that allows users to encrypt the files of a victim’s machine. The features of this trojan are also refactored in this upgrade and improved its code that aids its users to stay elusive on the infected Android-based device.

However, this version also misses the VNC module. Hence, the current SOVA is under trial and error, and V5 is still in the in-development stage. Despite being under development, SOVA v5 is still ready for mass distribution.

 

The SOVA Android banking trojan has been in active observation since last year.

 

A separate researcher has actively monitored the transformation of this banking trojan since its first emergence last September. At its initial revelation, the malware authors had revealed its roadmap with the future update.

They have unveiled their newest upgraded version five in a short period since their last released update was July this year. However, the March version only included 2FA interception, cookie stealing capability, and new injections for several banks.

These injections are overlays portrayed over genuine login prompts to harvest credentials such as banking applications. Subsequently, SOVA’s upgrade team released version four in July, which increased the list of targeted applications and included virtual network computing features for on-device fraud campaigns.

The SOVA malware operators appear to constantly be focused and competent enough to improve their threat capabilities. These malicious threat actors are setting a development timeline and upgrading new features over several months to counteract the solutions devised by cybersecurity researchers.

About the author