SOVA, an Android banking trojan has been spotted in the wild again and appears to have new features.
SOVA was first spotted in September 2021, when its developers posted a roadmap of future updates on the dark web saying the malware was entering the market, despite still being under testing.
Following which various versions of SOVA, implemented with certain features mentioned in the malware’s 2021 development roadmap. That includes MFA interception, cookie stealing and injections for new targets and countries.
Researchers spotted a new version of SOVA v4, reportedly targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets such as Binance.
The most interesting part is related to the Virtual Network Computing feature that has been in the SOVA roadmap since September 2021 and that is one strong evidence that threat actors are constantly updating the malware with new features and capabilities.
The malware’s latest version can also obtain screenshots from the infected devices, record and perform gestures and manage multiple commands.
In SOVA v4, the cookie stealer mechanism was further refactored and improved to specify a a comprehensive list of targeted Google services, alongside a list of other applications. Further, the updated malware can now protect itself by intercepting actions aimed at uninstalling its app.
Researchers claimed to have spotted some instance of yet another variant of SOVA. The v5 of the malware shows a further refactoring of the code, the addition of new features and some small changes in the communications between the malware and the C2 server.
SOVA v5 lacks the VNC module, but it instead features ransomware capabilities that not common with banking trojan.
This research was documented by researchers from cleafy security firm.
Indicators of Compromise.