"Android Banking Trojan SOVA Comes Back With New Features Including Ransomware"
Security researchers at Cleafy spotted the Android banking Trojan SOVA in the wild again, which appears to have new features. The researchers stated that SOVA was first spotted in September 2021, when its developers posted a roadmap of future updates on the dark web saying the malware was entering the market, despite still being under testing. In the following months, Cleafy spotted various versions of SOVA, some of which implemented certain features mentioned in the malware's 2021 development roadmap. The researchers noted that these included two-factor authentication (2FA) interception, cookie stealing, and injections for new targets and countries (e.g., multiple Philippine banks). In July 2022, the researchers spotted a new version of SOVA (v4). SOVA v4 features new capabilities and is reportedly targeting more than 200 mobile applications (against the original 90 in 2021), including banking apps and crypto exchanges/wallets such as Binance. SOVA v4 can obtain screenshots from the infected devices, record and perform gestures and manage multiple commands. In SOVA v4, the cookie stealer mechanism was further refactored and improved to specify a comprehensive list of targeted Google services alongside a list of other applications. The updated malware can now also protect itself by intercepting actions aimed at uninstalling its app. The researchers also just recently saw a new variant of SOVA. SOVA v5 shows a further refactoring of the code, the addition of new features, and some minor changes in the communications between the malware and the command-and-control (C2) server. More specifically, SOVA v5 lacks the VNC module, but it instead features ransomware capabilities.