The updated version of the Android banking trojan SOVA can target 200 mobile applications, including banking apps, cryptocurrency exchanges, and wallets, up from 90 apps when first discovered. According to the most recent research from Italian cybersecurity company Cleafy, new versions of the malware can steal cookies and intercept Two-Factor Authentication (2FA) codes. It has also been expanded to target additional countries including Australia, Brazil, China, India, the Philippines, and the United Kingdom. In September 2021, SOVA, which means “owl” in Russian, was observed attacking financial and shopping apps in the United States and Spain by collecting credentials using Android’s Accessibility services. The trojan has also served as the foundation for MaliBot over the past year. In order to trick people into installing it, the most recent SOVA variation hides using logos from reliable apps like Amazon and Google Chrome. “These features, combined with Accessibility services, enable [threat actors] to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA),” noted researchers Francesco Lubatti and Federico Valentini.
SOVA is also notable for collecting private data from Trust Wallet and Binance, including account balances and seed phrases. Additionally, all 13 banking apps from Russia and Ukraine that were targeted by the malware have been removed from the new version. The upgraded malware uses its extensive rights to prevent uninstall attempts by bringing the victim back to the home page and announcing, “This app is secured.” The banking trojan is also expected to include a ransomware component and use Advanced Encryption Standard (AES) for encryption in its next iteration. “The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data,” noted researchers.