SOVA Android malware now also encrypts victim filesSecurity Cases

Cleafy security researchers have reported that Android banking malware SOVA is back and evolving rapidly.

The SOVA Android banking trojan has been enhanced with a new ransomware feature that encrypts files on Android devices, Cleafy researchers report.

The malware has been active since 2021 and is evolving over time. The latest version of the SOVA Trojan, 5.0, targets over 200 banking and cryptocurrency exchange applications.

The writers also improved his evasion abilities.

In March 2022, the authors of SOVA released version 3.0 which was able to capture 2FA codes and cookies, it also implemented new injections to target applications from several banks.

Version 4, which was released in July, unlike previous versions, includes several new codes. The most interesting capability is VNC (Virtual Network Computing).

“Starting with SOVA v4, TAs can obtain screenshots of infected devices, to retrieve more information from victims. Additionally, the malware is also capable of recording and obtaining any sensitive information, as shown in Figure 5. These features, combined with accessibility services, allow TAs to perform gestures and, therefore, fraudulent activities from the infected device, as we have already seen. in other Android banking Trojans (e.g. Oscorp or BRATA). reads the analysis published by Cleafy. “With SOVA v4, TAs are able to handle multiple commands, such as: click on the screen, swipe, copy/paste and the ability to display an overlay screen to hide the screen from the victim.”

In SOVA v4, the author has further improved and refactored the cookie stealer mechanism. Another interesting feature updated in SOVA v4 is the protection module, which was designed to protect the malware from victim actions, such as manually uninstalling malicious code.

SOVA 2 Banking Trojan

If the user tries to uninstall the malware from the settings or by pressing the icon, SOVA is able to intercept these actions and prevent them from abusing Accessibility services by returning to the home screen and displaying a pop-up window displaying “This app is secure”.

The SOVA v4 also includes a new module designed to target the Binance exchange and the Trust Wallet (Binance’s official crypto wallet). The module allows the operators to get different information including account balance, history of actions performed by the victim and seed phrase to access the crypto wallet.

Version 5 has been completely refactored and new features and changes have been added, including communications between the malware and the C2 server. Experts have noticed that the VNC module has not yet been integrated into the latest version.

The most interesting feature added in SOVA v5 is the ransomware module, which was already announced in the September 2021 roadmap.

The malware encrypts files inside infected devices using an AES algorithm and renames them with the “.enc” extension.

“The ransomware feature is quite interesting as it is still not common in the Android banking Trojan landscape. It leans heavily on the opportunity that has arisen in recent years as mobile devices have become the central storage of personal and business data for most people. concludes The report. “

With the discovery of SOVA v4 and SOVA v5, we discovered new evidence of how TAs are constantly improving their malware and C2 panel, adhering to the published roadmap. Although the malware is still under development, it is ready to carry out large-scale fraudulent activities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Android banking malware SOVA)

Add Comment