Aug 19 — A new variant of the SOVA malware has been evolved to target Android devices, according to cyber security researchers. Experts have analyzed the latest version of the popular banking trojan and discovered a series of new features, including the capacity to encrypt locally stored files. The 5.0 version adds a ransomware module.

SOVA capabilities 

At present, SOVA is capable of targeting more than 200 banks (and their banking apps) worldwide, as well as assorted cryptocurrency exchanges and digital wallets. The malware can take screenshots, perform taps and swipes, steal files from compromised endpoints, and add overlay screens for apps. In addition, it can steal device owners’ cookies from Gmail, Gpay and Google Password Manager.

SOVA targets

Up until this point, the malware only delivered ransomware to desktop devices and servers, as the malware’s operators were primarily interested in targeting companies and corporations. It now looks as though hackers are interested in diversifying, since they have begun to target banking customers’ mobile phones.

SOVA is a threat of growing intensity, especially as it is starting to explore the space of mobile ransomware. If mobile phones owners begin to routinely encounter ransomware, either the removal tools will need to evolve, the application of mobile security will need to massively increase, or people may start to reduce their reliance on devices.

SOVA malware details

Researchers say that the most recent malware version leverages an AES encryption for purposes of adding the .enc extension to all files. Ultimately, the user is prevented from accessing the files.

Trojan development

From a technical perspective, the ransomware feature is interesting, as it remains uncommon in the Android banking trojan landscape. While hackers may further evolve the malware, some have started to deploy it already. The latest version of this malware hasn’t yet been widely circulated, but the current, perhaps unfinished, form is in use.

This variant of SOVA (dubbed ‘v4’ by researchers), conceals itself within fake applications that sport logos of well-known brands, like Amazon and Google Chrome. In turn, unwitting consumers download the imposter apps.

SOVA owners

The SOVA malware owners have been developing their product across the past several months. Thus far this year, the tool has seen numerous features introduced. These include two-factor authentication interception, new injections for multiple global banks, and virtual network computing (VNC) capabilities for on-device fraud.

Further information

This malware poses a threat to banking institutions, financial apps, and shopping apps. In September of 2021, the malware was observed in the US and Spain. Since then, its owners appear to have targeted organizations in Australia, Brazil, China, India, the Philippines and the UK.

The trojan also serves as a foundation for another Android malware known as MaliBot. This malware targets online banking and cryptocurrency wallet customers in Spain and Italy.

For more insights into banking malware, see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.