Researchers from Amsterdam-based cybersecurity firm ThreatFabric found the ransomware in early August 2021.The Newly Discovered Android Trojan is targeting a variety of banking apps and manipulate the clipboard to insert modified crptocurrency wallets addresses and shopping apps from the US and Spain.
“Sova is the Russian word for owl. This name was chosen by the threat actor himself/herself possibly because of owl’s nature as nocturnal birds of prey, quiet but efficient in stalking and capturing their victims. This identifies a completely new, to the best of our knowledge, Android banking trojan. The trojan is currently in development and testing phase, and has the objective to add to his overlay and keylogging mechanisms, other higly dangerous features like DDoS and Ransomware in future versions. There are a few interesting aspects that differentiate this trojan to already existing ones, both in features as well as in development.” reads the research paper released by Threatfabric.
Android Trojan Functionalities include,
- Steal Device Data.
- Send SMS.
- Overlay and Cookie injection.
- Overlay and Cookie injection via Push notification.
- USSD execution.
- Credit Card overlays with validity check.
- Hidden interception for SMS.
- Hidden interception for Notifications.
- Uninstallation of the app.
- Resilience from uninstallation from victims.
The banking malware also added the future releases of the Trojan such as Automatic 3 stage overlay injections,session cookies through web overlay attacks,more overlays,Improve Panel health,MitM,hide notifications, manipulating the clipboard to insert changed encryption wallet addresses, and plans for future VNC device plans, DDoS attacks, ransomware deployment and interception of authentication codes.
Threatfabric reported that,”The second set of features, added in the future developments, are very advanced and would push S.O.V.A. into a different realm for Android malware, making it potentially one of the most advanced bots in circulation, combining banking malware with automation and botnet capabilities.”
SOVA main source is to collect Victims personal identifiable information.The future SOVA have 3-stage-overlay.It helps to get more advanced and realistic process to download the additional software to the device.
The researchers added,” SOVA still remains an early stage project and offers the same fundamental characteristics as modern Android banking malware. The author has strong expectations of his product to test S.O.V.A with third parties.
Indicator of Compromise: