Get The Latest Insights

By Jessica Ellis | October 27, 2021

A new Android banking trojan is targeting financial institutions, crypto-wallets, and the retail industry. Dubbed S.O.V.A., the Russian word for Owl, the feature-rich malware abuses device accessibility services to steal personal identifiable information and banking credentials. S.O.V.A. is still in its development phase and, if authors deliver on future capabilities promised, this already dangerous malware could become one of the most damaging banking trojans to date.

S.O.V.A. Capabilities

S.O.V.A. is currently targeting users in the U.S., Spain, and others with malicious mobile apps. These apps are impersonating brands to convince a user to download the malware onto their mobile device. Once the victim opens the app, the trojan requests permission to use Android’s Accessibility Service. This will give the attacker the ability to intercept and monitor all activities occurring on the device screen.

S.O.V.A. will create listeners on the infected device that trigger action from the attacker every time an event occurs. Events include uploading data, opening a targeted application, or receiving an SMS. Each time a listener is triggered, the details of that event are sent to the attacker’s command-and-control (C&C) server. The attacker will then perform their desired action.

Current actionable features:

  • Keylogging
  • Overlays
  • Send and Intercept SMS
  • Notification Control
  • Add or Delete Apps
  • Clipboard Manipulation
  • Session Cookie Stealer

Two of the more advanced functions include clipboard manipulation and the ability to steal session cookies.

Clipboard Manipulation

Operators have the ability to modify the victim’s clipboard. This function can be used to substitute cryptocurrency addresses and redirect stolen funds to the criminal’s wallet. Specifically, if the data happens to be a Bitcoin, Ethereum, Binance, or TRON wallet address, S.O.V.A. operators can remove and replace it with a corresponding address that is tied to the attacker.

Session Cookies

The ability to steal session cookies is not unheard of with Android malware, however it is uncommon. S.O.V.A. carries out this action by creating a WebView that will mimic the target’s intended login page. Once the victim provides credentials and logs in, the actor can steal cookies via Android CookieManager. Once in possession of a session cookie, the actor has access to the victim’s logged in account, rendering banking credentials nonessential. S.O.V.A. creators plan to automate this feature in future versions.

Along with S.O.V.A.’s already robust set of capabilities, future features indicate the malware will be particularly advanced, including:

  • Automatic Cookie and Overlay Injections
  • Distributed Denial of Service (DDoS)
  • Virtual Network Computing (VNC)
  • Deploy Ransomware
  • Man-in-the-Middle
  • 2FA Interception

S.O.V.A.’s authors have not been shy about announcing these features, going as far as to provide videos and screenshots of what is to come. Additionally, modifications to the malware have been made to include IP checks to avoid targeting the CIS region and increased support for Chinese phone manufacturers.

Since its discovery in July, S.O.V.A. has differentiated itself not only with the wide-variety of features it is capable of executing, but also the extensive list of future functions not usually seen in mobile malware. If these are executed, S.O.V.A. could set a new and dangerous standard for Android banking malware .

Hash Examples:
MD5602fb88bc7ec96f77b744ca5bc7d0426
SHA1a57afe70c02738759452ac60c9ec3351e65f388f
SHA256ea074b596865c2df2b902e466e2fa3ecea69b1f6df50d38645b3e2c81ca30a4a

The C2:
sovamo31an2s4s31d.top

Suspected C2 Endpoints:

  • /keylog.php
  • /logpost.php
  • /testpost.php
  • forinject.php

PhishLabs will continue to monitor S.O.V.A. for new activity and updates.

Additional Resources: