SOVA is an Android banking trojan that first appeared in an underground forum in September 2021. Even the first iterations of the malware had plenty of functionalities, with the most recent ones updated with new features and code improvements.
SOVA Android Malware: Multiple Versions in the Wild
The latest capability of the SOVA malware appears to be a ransomware feature designed to encrypt files found on targeted mobile devices. The feature is available in SOVA version 5.0.
More than 200 banks are targeted with this variant, as well as cryptocurrency exchange platforms and digital wallet apps where the malware is aiming to steal sensitive user data and cookies.
According to a report by Cleafy, multiple samples of the fourth version of the malware were available with advanced features including 2FA interception, cookie stealing, and injections for new targets and countries. The fifth version adds ransomware capabilities.
How Does SOVA Android Malware Operate?
It sends a list of installed applications (discovered on the targeted device) to the command-and-control server, and receives an XML file that contains addresses pointing to the correct overlays to be loaded upon loading an app.
The latest release of the malware has an upgrade in the cookie stealing feature, which now targets Gmail, Google Password Manager, and GPay.
SOVA’s Ransomware Module
This feature was announced in the malware’s roadmap of September 2021. Even though it was already implemented, at the time of writing [the report] the feature appears to be still in development. The malware operators are aiming to encrypt files on infected devices via AES and rename them with the .enc extension.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity that arises in recent years, as mobile devices became for most people the central storage for personal and business data,” the report noted.
Another example of a recently disclosed Android malware is HiddenAds, propagated with the help of malicious apps masquerading themselves as cleaner and optimization apps for device management. The Android apps were distributed on the Google Play Store.
Discovered by McAfee’s Mobile Research Team, the malware is capable of hiding itself and continuously showing advertisements to victims (Android users). The malware is also capable of running its services automatically upon installation without the need of executing the app.