Researchers from Amsterdam-based cybersecurity firm ThreatFabric found the ransomware in early August 2021.The Newly Discovered Android Trojan  is targeting a variety of banking apps and manipulate the clipboard to insert modified crptocurrency wallets addresses and shopping apps from the US and Spain.

Sova is the Russian word for owl. This name was chosen by the threat actor himself/herself possibly because of owl’s nature as nocturnal birds of prey, quiet but efficient in stalking and capturing their victims. This identifies a completely new, to the best of our knowledge, Android banking trojan. The trojan is currently in development and testing phase, and has the objective to add to his overlay and keylogging mechanisms, other higly dangerous features like DDoS and Ransomware in future versions. There are a few interesting aspects that differentiate this trojan to already existing ones, both in features as well as in development.” reads the research paper released by Threatfabric.

Android Trojan Functionalities include,

  • Steal Device Data.
    • Send SMS.
    • Overlay and Cookie injection.
    • Overlay and Cookie injection via Push notification.
    • USSD execution.
    • Credit Card overlays with validity check.
    • Hidden interception for SMS.
    • Hidden interception for Notifications.
    • Uninstallation of the app.
    • Resilience from uninstallation from victims.

The banking malware also added the future releases of the Trojan such as Automatic 3 stage overlay injections,session cookies through web overlay attacks,more overlays,Improve Panel health,MitM,hide notifications, manipulating the clipboard to insert changed encryption wallet addresses, and plans for future VNC device plans, DDoS attacks, ransomware deployment and interception of authentication codes.

Threatfabric reported that,”The second set of features, added in the future developments, are very advanced and would push S.O.V.A. into a different realm for Android malware, making it potentially one of the most advanced bots in circulation, combining banking malware with automation and botnet capabilities.”

SOVA main source is to collect Victims personal identifiable information.The future SOVA have 3-stage-overlay.It helps to get more advanced and realistic process to download the additional software to the device.

The researchers added,” SOVA still remains an early stage project and offers the same fundamental characteristics as modern Android banking malware. The author has strong expectations of his product to test S.O.V.A with third parties.

Indicator of Compromise:

ObfuscationHash
Unobfuscated v18a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
Obfuscated v1efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7
Obfuscated v2dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165

c2 URL

URL
hxxp://a0545193.xsph[.]ru

Source: Threatfabric.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Published by oxytivetech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s