What Is SOVA Malware? | SOVA Android Banking Trojan, Features, Risks & Protection

SOVA is an Android banking trojan first spotted in 2021 that has rapidly evolved from a credential-stealing overlay tool to a multi-purpose threat with cookie theft, 2FA interception, on-device control (VNC), and even a ransomware module in later versions. It spreads via fake or trojanized apps and abuses Accessibility Services to gain broad permissions, target hundreds of banking and crypto apps, and block attempts to uninstall it. Organizations and individuals should harden Android fleets, train users, and deploy mobile threat defense.

What is SOVA Malware?

SOVA (from the Russian word for “owl”) is an Android banking trojan designed to steal credentials and other sensitive data and to facilitate fraud straight from infected devices. Researchers first documented it publicly in September 2021, noting its unusual focus on session cookie theft alongside classic banking-trojan tricks such as overlays and keylogging. Early posts by its authors even included a roadmap for future features like VNC remote control, DDoS, and ransomware—ambitions that later research confirmed were gradually implemented.

Why SOVA Matters Now

SOVA isn’t a “one-and-done” strain. It has kept evolving, adding new capabilities across versions and expanding its target list from ~90 apps to 200+ banking, crypto, and financial apps worldwide. That growth—and the shift from pure credential theft to on-device fraud and file encryption—is what elevates SOVA from “another Android trojan” to a strategic, long-term mobile threat.

How SOVA Infects Android Devices

Attackers typically distribute SOVA through malicious or impersonated apps that imitate known brands (e.g., Chrome, Amazon, well-known wallets). Users encounter these via smishing, malvertising, rogue app stores, “updates,” or links in social channels. After installation, SOVA abuses Accessibility Services to:

• Grant itself wide permissions without raising alarms
• Hide its icon and persist across reboots
• Display overlays on top of legitimate banking/crypto apps
• Block uninstall attempts by bouncing users back to the home screen with messages like “This app is secured” (v4)

What SOVA Can Do: Key Capabilities

While specifics vary by version, SOVA’s core capabilities include:

• Overlay Attacks: When a user opens a targeted app, SOVA presents a pixel-perfect fake login to capture credentials and card details. Overlays are updated per target and region, enabling scalable theft.
• Keylogging & Notification Manipulation: SOVA can log keystrokes and hide or intercept notifications (including SMS), bolstering credential theft and evasion.
• Session Cookie Theft: SOVA’s standout early feature. By spinning up a WebView and grabbing cookies via Android’s CookieManager, SOVA can hijack live sessions (e.g., Gmail, PayPal) without needing the password. Later versions refined cookie stealing and expanded the list of Google services targeted (Gmail, GPay, Google Password Manager).
• 2FA Interception: Researchers observed SOVA commands for Google Authenticator code capture and broader 2FA bypass tactics, weakening one-time codes that protect bank logins.
• threatfabric.com
• Remote Control / On-Device Fraud (VNC-like): SOVA v4 introduced VNC-style capabilities (screen capture, recording, simulated taps/swipes), enabling operators to perform fraudulent actions directly on the device—harder for banks to detect than “off-device” fraud.
• Crypto-Specific Theft: Dedicated logic for Binance and Trust Wallet, including attempts to gather balances and seed phrases—a critical risk for crypto holders.
• Anti-Removal & Stealth: SOVA can block uninstalls, refactor modules to be more stealthy (e.g., using Android/obb/ for payloads), and maintain resilience against user cleanup attempts.
• Ransomware Module (v5): SOVA’s v5 adds an AES-based ransomware component that encrypts files and appends “.enc”. While early builds suggested it was still maturing, the presence of ransomware blurs lines between banking trojan and mobile ransomware.

Evolution & Version Timeline of SOVA Malware (Highlights)

• 2021 (v1–v3): Public discovery; overlay + keylogging foundation; early support for cookie theft and Google Authenticator code capture; authors publish a roadmap promising VNC and ransomware.
• H1 2022 (v3): Expanded 2FA interception, cookie stealing, and more injections for new banks/countries.
• Mid-2022 (v4): Big jump: VNC-style control, screenshots/recording, anti-uninstall, target list grows to 200+ apps, and specialized modules for Binance/Trust Wallet.
• Late-2022 (v5): Emergence of an AES ransomware module (files renamed “.enc”); code refactors continue. Some early v5 samples lacked VNC pending integration.

Bottom line: SOVA’s trajectory goes from credential theft → session hijacking → on-device fraud → ransomware—a rare breadth for mobile malware.

Who Is Being Targeted Sova Malware?

SOVA’s target scope spans banking, crypto exchanges, wallets, and shopping apps. Over time, researchers documented regional expansion (e.g., the U.K., India, Australia, Brazil, China, the Philippines), reflecting operator interest where mobile banking adoption is high. Target lists are now C2-driven, which lets attackers retune targets dynamically without shipping a new APK.

How SOVA Steals Money in Practice

• Credential Capture via Overlay: Users submit login details to a convincing fake screen.
• MFA Weakening: SOVA snags SMS/notification-based codes or Authenticator codes (where feasible).
• Session Hijack with Cookies: Even if passwords change, hijacked sessions can enable access.
• On-Device Fraud: With VNC-like control, attackers move money within the legitimate app, making fraud harder to distinguish from a real user.
• Crypto Theft: Dedicated logic tries to exfiltrate seed phrases or manipulate clipboard wallet addresses.

Signs You Might Be Infected (Indicators of Compromise) by SOVA

• Strange overlays on top of banking/financial apps
• Accessibility Services suddenly enabled for an unknown app
• Uninstall is blocked (kicks you back to the home screen with a “secured” toast)
• Unusual battery or data usage, unexplained screen recordings
• Unexpected SMS activity or notifications disappearing
• Crypto app prompts or requests for seed phrases out of normal flow

Impact on Organizations and Individuals

SOVA’s combination of credential theft and ransomware makes it a serious threat for both personal and professional users. It doesn’t just affect a single device—it can disrupt financial stability, compromise sensitive data, and paralyze operations.

The table below highlights how SOVA impacts individuals and organizations differently.

Table 1: Key Differences in SOVA Malware Impact on Individuals and Organizations

SOVA’s dual-threat nature demands urgent attention and proactive defense, especially for organizations with mobile-dependent workflows.

How to Remove SOVA Safely

• Disconnect from networks (Wi-Fi and mobile data).
• Reboot into Safe Mode (blocks most third-party apps) and try to uninstall the suspicious app(s). If SOVA blocks removal in normal mode, Safe Mode often helps. (If that fails, proceed.)
• Use Android Device Settings → Apps → suspicious app → Uninstall.
• Run Google Play Protect and, ideally, a reputable mobile security app to scan/clean.
• Revoke Accessibility and other suspicious permissions for apps you don’t fully trust.
• If you suspect ransomware activity or deep persistence:
• Back up essential data (avoid copying any suspicious APKs).
• Factory reset the device.
• Restore only from known-good backups.
• Change all financial passwords, re-enroll MFA, and invalidate sessions (log out of all devices) for banking, email, and crypto apps.

If you used the device for corporate access, inform your IT/SOC so they can check downstream risk (email, MDM, SSO, VPN tokens, etc.).

Preventing SOVA: Practical Tips for Individuals

• Install apps only from official stores; avoid sideloading APKs.
• Scrutinize permissions, especially Accessibility Services. A PDF reader shouldn’t want Accessibility and notification access.
• Keep Android and apps updated; apply security patches promptly.
• Use stronger MFA (e.g., security keys or device-bound passkeys) instead of SMS where supported.
• Enable Play Protect and consider a reputable mobile security solution.
• Harden your browser and passwords: use a password manager, unique passphrases, and limit “stay signed in” on sensitive sites.
• Back up your files: in case you hit the ransomware branch of SOVA, backups reduce the blast radius.

Preventing SOVA at Work: Guidance for Security & IT Teams

Mobile Device Management (MDM/UEM):

• Enforce Managed Google Play and block unknown sources.
• Policy-block Accessibility for non-approved apps.
• Require OS version minimums and patch level SLAs.

Mobile Threat Defense (MTD):

• Deploy agents that detect overlay behavior, abuse of Accessibility, suspicious WebView usage, and command-and-control traffic.
• Conditional Access / Zero Trust: Gate access to corporate resources based on device health.
• Runtime Protections in Mobile Apps: Encourage banking/fintech partners to use overlay detection, root/jailbreak checks, and runtime integrity.

Security Awareness Training:

Include mobile social engineering (smishing, fake updates, app impersonation) in security awareness programs; highlight seed-phrase safety for staff who manage corporate crypto.

Incident Playbooks:

Document Android malware triage (Safe Mode, uninstall, factory reset), credential rotation, and session revocation for identity providers and finance tools.

Threat Intel & Monitoring:

Track SOVA indicators (hashes, C2s) and watch for abnormal mobile banking transactions from corporate devices.

SOVA vs. Other Android Banking Trojans

Anatsa/TeaBot, Vultur, ERMAC and others also abuse overlays and Accessibility to steal credentials. However, SOVA’s cookie theft focus, VNC-like on-device fraud, and the addition of a ransomware module make it a hybrid that spans credential theft, session hijack, remote fraud, and file encryption—a broader spectrum than many peers

Defending Against SOVA with Keepnet xHRM Platform

Stopping threats like SOVA Android malware requires more than tools—it demands smarter people. The Keepnet Extended Human Risk Management Platform delivers adaptive training, real-world simulations, and automated incident response to reduce human risk and stop mobile attacks at the source.

• Personalized Training Programs: Access over 2,100 materials in 36+ languages, covering smishing, quishing, vishing, and compliance topics.
• AI-Powered Phishing Simulations: Run 6,000+ attack scenarios with instant micro-training triggered by risky user behavior.
• Mobile Security Enforcement: Apply MDM policies to control app use and remotely wipe compromised devices.
• Proactive Threat Detection & Response: Use tools like Email Threat Simulator, Threat Intelligence, and Incident Responder to catch and contain threats quickly.
• Always-On Awareness: Automate posters, screensavers, and infographics to reinforce secure behavior every day.

With Keepnet, you transform your workforce into your first line of defense against mobile threats like SOVA.

The Future of Mobile Malware and SOVA

SOVA's transformation into a dual-threat malware highlights a critical evolution in mobile cyberattacks. It now combines credential theft with ransomware, targeting Android users through phishing, fake apps, and advanced social engineering tactics.

As mobile threats grow in complexity and begin extending into IoT environments, organizations must treat mobile devices as high-risk assets. Applying the same security standards used for desktops and servers is now essential.

To assess your team’s readiness against threats like SOVA, start with Keepnet’s free phishing simulation test—a quick way to identify human vulnerabilities and strengthen your frontline defenses.

Editor's note: This article was updated on August 21, 2025.