The updated version of the Android banking trojan SOVA can target 200 mobile applications, including banking apps, cryptocurrency exchanges, and wallets, up from 90 apps when first discovered. According to the most recent research from Italian cybersecurity company Cleafy, new versions of the malware can steal cookies and intercept Two-Factor Authentication (2FA) codes. It has also been expanded to target additional countries including Australia, Brazil, China, India, the Philippines, and the United Kingdom. In September 2021, SOVA, which means “owl” in Russian, was observed attacking financial and shopping apps in the United States and Spain by collecting credentials using Android’s Accessibility services. The trojan has also served as the foundation for MaliBot over the past year. In order to trick people into installing it, the most recent SOVA variation hides using logos from reliable apps like Amazon and Google Chrome. “These features, combined with Accessibility services, enable [threat actors] to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA),” noted researchers Francesco Lubatti and Federico Valentini.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in