Get The Latest Insights

By Jessica Ellis | October 27, 2021

A new Android banking trojan is targeting financial institutions, crypto-wallets, and the retail industry. Dubbed S.O.V.A., the Russian word for Owl, the feature-rich malware abuses device accessibility services to steal personal identifiable information and banking credentials. S.O.V.A. is still in its development phase and, if authors deliver on future capabilities promised, this already dangerous malware could become one of the most damaging banking trojans to date.

S.O.V.A. Capabilities

S.O.V.A. is currently targeting users in the U.S., Spain, and others with malicious mobile apps. These apps are impersonating brands to convince a user to download the malware onto their mobile device. Once the victim opens the app, the trojan requests permission to use Android’s Accessibility Service. This will give the attacker the ability to intercept and monitor all activities occurring on the device screen.

S.O.V.A. will create listeners on the infected device that trigger action from the attacker every time an event occurs. Events include uploading data, opening a targeted application, or receiving an SMS. Each time a listener is triggered, the details of that event are sent to the attacker’s command-and-control (C&C) server. The attacker will then perform their desired action.

Current actionable features:

  • Keylogging
  • Overlays
  • Send and Intercept SMS
  • Notification Control
  • Add or Delete Apps
  • Clipboard Manipulation
  • Session Cookie Stealer

Two of the more advanced functions include clipboard manipulation and the ability to steal session cookies.

Clipboard Manipulation

Operators have the ability to modify the victim’s clipboard. This function can be used to substitute cryptocurrency addresses and redirect stolen funds to the criminal’s wallet. Specifically, if the data happens to be a Bitcoin, Ethereum, Binance, or TRON wallet address, S.O.V.A. operators can remove and replace it with a corresponding address that is tied to the attacker.

Session Cookies

The ability to steal session cookies is not unheard of with Android malware, however it is uncommon. S.O.V.A. carries out this action by creating a WebView that will mimic the target’s intended login page. Once the victim provides credentials and logs in, the actor can steal cookies via Android CookieManager. Once in possession of a session cookie, the actor has access to the victim’s logged in account, rendering banking credentials nonessential. S.O.V.A. creators plan to automate this feature in future versions.

Along with S.O.V.A.’s already robust set of capabilities, future features indicate the malware will be particularly advanced, including:

  • Automatic Cookie and Overlay Injections
  • Distributed Denial of Service (DDoS)
  • Virtual Network Computing (VNC)
  • Deploy Ransomware
  • Man-in-the-Middle
  • 2FA Interception

S.O.V.A.’s authors have not been shy about announcing these features, going as far as to provide videos and screenshots of what is to come. Additionally, modifications to the malware have been made to include IP checks to avoid targeting the CIS region and increased support for Chinese phone manufacturers.

Since its discovery in July, S.O.V.A. has differentiated itself not only with the wide-variety of features it is capable of executing, but also the extensive list of future functions not usually seen in mobile malware. If these are executed, S.O.V.A. could set a new and dangerous standard for Android banking malware .

Hash Examples:

The C2:

Suspected C2 Endpoints:

  • /keylog.php
  • /logpost.php
  • /testpost.php
  • forinject.php

PhishLabs will continue to monitor S.O.V.A. for new activity and updates.

Additional Resources: