SOVA is an Android banking Trojan with significant capabilities like credential theft, capturing keystrokes, taking screenshots, etc., that can inflict acute harm to the devices that become victims of this malware. This malware has been on sale in the underground market since last year & is suspected of having been bought by some bad actors to harvest critical information from unsuspecting users. Its creators gave the name Sova on an underground forum.
Since last year, SOVA has been targeting Russian and Philippine banks. Since its inception, we have seen its three versions wherein it had 2FA interception, cookie stealing, and injection capabilities. These versions can steal credentials and session cookies through overlay attacks, keylogging, hiding notifications, and manipulating the clipboard to insert modified cryptocurrency wallet addresses.
SOVA relies on the open-source project of Retrofit for its communication with the C2 server.
In the latest version which we have seen recently, SOVA malware seems to have evolved with some new features: –
This latest SOVA version mimics Amazon and Google Chrome icons to trick users into downloading. At the launch time, it asks for accessibility permission and forces the user to allow it.
Fig.1 Launch screen of malware Application
|SOVA Version||MD5||Detection Name|
Quick Heal users are already protected from such threats, including above mentioned SOVA versions.
Fig.2 Quick Heal Detecting the malware applications
As illustrated above, banking malware uses new techniques to lure users using icons of legitimate applications. These Trojans can cause much harm to the infected devices and are sold in underground markets. They tend to spread via smishing as well as phishing attacks. Users should be aware and not download and install applications from untrusted sources.