The SOVA Android banking trojan is back with more upgraded capabilities making it more of a threat than ever before. Reportedly, it can target a minimum of 200 mobile applications, including banking apps, crypto wallets, and crypto exchanges. Previously, it could only target 90 applications.
According to the Italian cybersecurity firm Cleafy, their latest findings include a newer version of the malware, which is able to intercept the two-factor authentication codes and steal cookies. Furthermore, they have also expanded their target to cover Australia, Brazil, China, the UK, India, and the Philippines.
SOVA, which means Owl in Russian, became known in September 2021 when it was seen striking shopping apps and other financial apps in Spain and US. Through overlay attacks, they were taking advantage of Android’s Accessibility service and were harvesting credentials.
In under a year, the trojan was able to act as a foundation for MaliBot, another Android malware. This malware was designed to target online banking and cryptocurrency wallet customers located mainly in Spain and Italy.
The upgraded variant of SOVA, called v4 by Cleafy, hides within fake applications that have logos similar to logos of legitimate apps such as Google Chrome and Amazon. Thus, they are able to deceive the users into installing them. Improvements in SOVA include recording the device screens and capturing screenshots.
One of the most notable actions SOVA v4 can take is gathering sensitive information from Trust and Binance Wallet, including account balances and seed phrases. Furthermore, all of the Ukrainian and Russian-based banking apps targeted by the malware have been removed from the version.
Even more alarming, the update allows the malware to leverage its already wide-ranging permissions to deflect any uninstallation attempts. It redirects the victim to the home screen and displays the message: This app is secured. Therefore, it is also a formidable threat in the mobile threat landscape.
- The Cybersecurity Risks of Merging Business & Pleasure
- Cybersecurity Guide for Journalists
- Protective Measures for Businesses in the Digital Age
- Active Exploitation of UnRAR Software – CISA Issues Warning for Linux Systems
- French Android and iPhone Users Are Being Targetted by Roaming Mantis Financial Hackers
- Google Restores the Android App Permission Section in the Play Store
- Russian Hackers Distributing Android Malware Amidst the Ukraine Crisis