Android banking trojan SOVA is back and offers updated features – with another version in development containing a ransomware module.
Clify researchers documenting SOVA’s resurgence say that version 4 appears to target over 200 mobile applications, including banking apps and crypto exchanges/wallets. It appears that Spain is the malware’s target country, followed by the Philippines and the United States.
SOVA v4 malware is hidden in fake Android applications disguised by the logos of popular apps like Chrome and Amazon. The latest version includes a revised and improved cookie-stealing mechanism that can now specify a list of targeted Google services and other applications. Additionally, the update allows malware to protect itself by intercepting and blocking attempts by victims to uninstall the app.
Even in the latest versions of SOVA, attackers can control specific targets through a command-and-control (C2) interface. This increases the adaptability of malware to a variety of attack scenarios.
In addition, it has features that allow attackers to take screenshots and record and execute commands. This allows an attacker to later look for ways to migrate to other systems or applications that may be more attractive.
“The most interesting part deals with [virtual network computing] capacity,” the report said. “This feature has been in the SOVA roadmap since September 2021 and is strong proof of that [threat actors] Constantly updating malware with new features and capabilities.”
ransomware on the horizon
The Clify team also found evidence that another version of the malware, version 5, is in development and will contain a ransomware module previously announced in the September 2021 development roadmap.
“The ransomware feature is quite interesting because it’s still not widespread in the Android banking Trojan landscape,” noted the Cliffy researchers. “It’s heavily capitalizing on an opportunity that has arisen in recent years, as mobile devices have become the central repository for personal and business data for most people.”
According to Corey Kline, Senior Cybersecurity Consultant at nVisium, cybercriminals benefit greatly from adding ransomware capabilities to banking Trojans.
“You no longer have to steal your personal information to gain access to your financial information,” he explains. “Ransomware capabilities now allow attackers to encrypt affected devices.”
He adds that as more and more people store almost every aspect of their lives on their mobile devices, attackers can more easily find targets willing to pay to get their data back.
“The team behind SOVA has demonstrated a new level of sophistication,” he says. “The feature set is quite unique in the Android banking Trojan scene, and SOVA is one of the most feature-rich Android banking Trojans out there.”
However, he points out that the team behind SOVA chose to implement retrofit for C2 instead of writing their own solution.
“This may speak to some of the limitations in the development team,” says Kline.
The banking Trojan gets a boost from additional functions
Other banking Trojans have also re-emerged with updated capabilities to bypass protections, including Emotet, which surfaced in a more advanced form earlier this summer after being removed by a joint international task force in January 2021.
Joseph Carson, Chief Security Scientist and Consultant CISO at Delinea, says there are many benefits to improving and evolving existing Android banking Trojans.
“Significant improvements in SOVA v4 and SOVA v5 show that attackers can easily extend existing features like Cookie Stash, which now includes more paid services and applications,” he explains. “New modules like those targeting CryptoWallet show that attackers see cryptocurrencies as an attractive target.”
He points out that adding ransomware capabilities can have many benefits for attackers, such as destroying evidence. This makes it harder for digital forensics to find any traces or attributions of the attacker and gives the attacker an additional payment option if credential or cookie theft is unsuccessful.
“As new Internet services are introduced, particularly in the financial industry,” says Carson, “attackers need to update banking Trojans with new modules like any other software company to remain compatible with new technologies.” Will happen.”