What Is SOVA Android Banking Malware? Capabilities, Risks, and Defense in 2026

SOVA is an Android banking trojan first spotted in 2021 that rapidly evolved from a credential-stealing tool into a dual-threat malware combining financial fraud with ransomware capability. By 2026, SOVA represents one of the most advanced Android banking trojans documented, with version 5 introducing file encryption that persists even after device wipes. Security researchers observed SOVA-family variants in active campaigns targeting banking customers across Europe, Asia-Pacific, and Latin America through 2025. Distribution through fake banking apps, crypto wallet applications, and impersonation of popular consumer apps continues to evolve as app stores improve detection capabilities.

What is SOVA Malware?

SOVA (from the Russian word for “owl”) is an Android banking trojan designed to steal credentials and other sensitive data and to facilitate fraud straight from infected devices. Researchers first documented it publicly in September 2021, noting its unusual focus on session cookie theft alongside classic banking trojan tricks such as overlays and keylogging. Early posts by its authors even included a roadmap for future features like VNC remote control, DDoS, and ransomware—ambitions that later research confirmed were gradually implemented.

Why SOVA Matters Now

SOVA is not a legacy threat. Active campaigns using SOVA-derived code were documented through 2024 and 2025, with new variants adapting to Android security updates introduced in versions 12, 13, and 14. As Google and device manufacturers introduce new restrictions on Accessibility Service abuse, SOVA variants have found alternative methods to maintain persistence. Organizations with employees who use Android devices for banking or corporate access face ongoing risk from SOVA-style attacks that current mobile endpoint protection tools do not fully mitigate.

How SOVA Infects Android Devices

Attackers typically distribute SOVA through malicious or impersonated apps that imitate known brands (e.g., Chrome, Amazon, well known wallets). Users encounter these via smishing, malvertising, rogue app stores, “updates,” or links in social channels. After installation, SOVA abuses Accessibility Services to:

• Grant itself wide permissions without raising alarms
• Hide its icon and persist across reboots
• Display overlays on top of legitimate banking/crypto apps
• Block uninstall attempts by bouncing users back to the home screen with messages like “This app is secured” (v4)

What SOVA Can Do: Key Capabilities

While specifics vary by version, SOVA’s core capabilities include:

• Overlay Attacks: When a user opens a targeted app, SOVA presents a pixel perfect fake login to capture credentials and card details. Overlays are updated per target and region, enabling scalable theft.
• Keylogging & Notification Manipulation: SOVA can log keystrokes and hide or intercept notifications (including SMS), bolstering credential theft and evasion.
• Session Cookie Theft: SOVA’s standout early feature. By spinning up a WebView and grabbing cookies via Android’s CookieManager, SOVA can hijack live sessions (e.g., Gmail, PayPal) without needing the password. Later versions refined cookie stealing and expanded the list of Google services targeted (Gmail, GPay, Google Password Manager).
• 2FA Interception: Researchers observed SOVA commands for Google Authenticator code capture and broader 2FA bypass tactics, weakening one time codes that protect bank logins.
• threatfabric.com
• Remote Control / On Device Fraud (VNC like): SOVA v4 introduced VNC style capabilities (screen capture, recording, simulated taps/swipes), enabling operators to perform fraudulent actions directly on the device—harder for banks to detect than “off device” fraud.
• Crypto Specific Theft: Dedicated logic for Binance and Trust Wallet, including attempts to gather balances and seed phrases, a critical risk for crypto holders.
• Anti Removal & Stealth: SOVA can block uninstalls, refactor modules to be more stealthy (e.g., using Android/obb/ for payloads), and maintain resilience against user cleanup attempts.
• Ransomware Module (v5): SOVA’s v5 adds an AES based ransomware component that encrypts files and appends “.enc”. While early builds suggested it was still maturing, the presence of ransomware blurs lines between banking trojan and mobile ransomware.

Evolution & Version Timeline of SOVA Malware (Highlights)

• 2021 (v1–v3): Public discovery; overlay + keylogging foundation; early support for cookie theft and Google Authenticator code capture; authors publish a roadmap promising VNC and ransomware.
• H1 2022 (v3): Expanded 2FA interception, cookie stealing, and more injections for new banks/countries.
• Mid 2022 (v4): Big jump: VNC style control, screenshots/recording, anti uninstall, target list grows to 200+ apps, and specialized modules for Binance/Trust Wallet.
• Late 2022 (v5): Emergence of an AES ransomware module (files renamed “.enc”); code refactors continue. Some early v5 samples lacked VNC pending integration.

SOVA's trajectory goes from credential theft through session hijacking toward on-device fraud and ransomware, with each version targeting broader geographies and more app categories. In 2026, the SOVA codebase has influenced a new generation of Android banking trojans that combine its most effective features: overlay attacks, accessibility abuse, cookie theft, and file encryption. Organizations must treat mobile malware as a persistent and evolving threat category rather than a periodic concern.

Who Is Being Targeted Sova Malware?

SOVA’s target scope spans banking, crypto exchanges, wallets, and shopping apps. Over time, researchers documented regional expansion (e.g., the U.K., India, Australia, Brazil, China, the Philippines), reflecting operator interest where mobile banking adoption is high. Target lists are now C2 driven, which lets attackers retune targets dynamically without shipping a new APK.

How SOVA Steals Money in Practice

• Credential Capture via Overlay: Users submit login details to a convincing fake screen.
• MFA Weakening: SOVA snags SMS/notification based codes or Authenticator codes (where feasible).
• Session Hijack with Cookies: Even if passwords change, hijacked sessions can enable access.
• On Device Fraud: With VNC like control, attackers move money within the legitimate app, making fraud harder to distinguish from a real user.
• Crypto Theft: Dedicated logic tries to exfiltrate seed phrases or manipulate clipboard wallet addresses.

Signs You Might Be Infected (Indicators of Compromise) by SOVA

• Strange overlays on top of banking/financial apps
• Accessibility Services suddenly enabled for an unknown app
• Uninstall is blocked (kicks you back to the home screen with a “secured” toast)
• Unusual battery or data usage, unexplained screen recordings
• Unexpected SMS activity or notifications disappearing
• Crypto app prompts or requests for seed phrases out of normal flow

Impact on Organizations and Individuals

SOVA’s combination of credential theft and ransomwaremakes it a serious threat for both personal and professional users. It doesn’t just affect a single device. It can disrupt financial stability, compromise sensitive data, and paralyze operations.

The table below highlights how SOVA impacts individuals and organizations differently.

Table 1: Key Differences in SOVA Malware Impact on Individuals and Organizations

SOVA’s dual threat nature demands urgent attention and proactive defense, especially for organizations with mobile dependent workflows.

How to Remove SOVA Safely

• Disconnect from networks (Wi-Fi and mobile data).
• Reboot into Safe Mode (blocks most third party apps) and try to uninstall the suspicious app(s). If SOVA blocks removal in normal mode, Safe Mode often helps. (If that fails, proceed.)
• Use Android Device Settings → Apps → suspicious app → Uninstall.
• Run Google Play Protect and, ideally, a reputable mobile security app to scan/clean.
• Revoke Accessibility and other suspicious permissions for apps you don’t fully trust.
• If you suspect ransomware activity or deep persistence:
• Back up essential data (avoid copying any suspicious APKs).
• Factory reset the device.
• Restore only from known good backups.
• Change all financial passwords, re enroll MFA, and invalidate sessions (log out of all devices) for banking, email, and crypto apps.

If you used the device for corporate access, inform your IT/SOC so they can check downstream risk (email, MDM, SSO, VPN tokens, etc.).

Preventing SOVA: Practical Tips for Individuals

• Install apps only from official stores; avoid sideloading APKs.
• Scrutinize permissions, especially Accessibility Services. A PDF reader shouldn’t want Accessibility and notification access.
• Keep Android and apps updated; apply security patches promptly.
• Use stronger MFA (e.g., security keys or device bound passkeys) instead of SMS where supported.
• Enable Play Protect and consider a reputable mobile security solution.
• Harden your browser and passwords: use a password manager, unique passphrases, and limit “stay signed in” on sensitive sites.
• Back up your files: in case you hit the ransomware branch of SOVA, backups reduce the blast radius.

Preventing SOVA at Work: Guidance for Security & IT Teams

Mobile Device Management (MDM/UEM):

• Enforce Managed Google Play and block unknown sources.
• Policy block Accessibility for non approved apps.
• Require OS version minimums and patch level SLAs.

Mobile Threat Defense (MTD):

• Deploy agents that detect overlay behavior, abuse of Accessibility, suspicious WebView usage, and command and control traffic.
• Conditional Access / Zero Trust: Gate access to corporate resources based on device health.
• Runtime Protections in Mobile Apps: Encourage banking/fintech partners to use overlay detection, root/jailbreak checks, and runtime integrity.

Security Awareness Training:

Include mobile social engineering (smishing, fake updates, app impersonation) in security awareness programs; highlight seed phrase safety for staff who manage corporate crypto.

Incident Playbooks:

Document Android malware triage (Safe Mode, uninstall, factory reset), credential rotation, and session revocation for identity providers and finance tools.

Threat Intel & Monitoring:

Track SOVA indicators (hashes, C2s) and watch for abnormal mobile banking transactions from corporate devices.

SOVA vs. Other Android Banking Trojans

Other Android banking trojans also abuse overlays and Accessibility Services to steal credentials. However, SOVA’s cookie theft focus, VNC like on device fraud, and the addition of a ransomware module make it a hybrid that spans credential theft, session hijack, remote fraud, and file encryption, a broader spectrum than many peers

Defending Against SOVA with Keepnet xHRM Platform

Stopping threats like SOVA Android malwarerequires more than tools. It demands smarter people. TheKeepnet Extended Human Risk Management Platform delivers adaptive training, real world simulations, and automated incident response to reduce human risk and stop mobile attacks at the source.

• Personalized Training Programs: Access over 2,100 materials in 36+ languages, covering smishing, quishing, vishing, and compliance topics.
• AI Powered Phishing Simulations: Run 6,000+ attack scenarios with instant micro training triggered by risky user behavior.
• Mobile Security Enforcement: Apply MDM policies to control app use and remotely wipe compromised devices.
• Proactive Threat Detection & Response: Use tools like Email Threat Simulator, Threat Intelligence, and Incident Responder to catch and contain threats quickly.
• Always On Awareness: Automate posters, screensavers, and infographics to reinforce secure behavior every day.

With Keepnet, you transform your workforce into your first line of defense against mobile threats like SOVA.

The Future of Mobile Malware and SOVA

SOVA's transformation into a dual threat malware highlights a critical evolution in mobile cyberattacks. It now combines credential theft with ransomware, targeting Android users through phishing, fake apps, and advanced social engineering tactics.

As mobile threats grow in complexity and begin extending into IoT environments, organizations must treat mobile devices as high risk assets. Applying the same security standards used for desktops and servers is now essential.

To assess your team’s readiness against threats like SOVA, start with Keepnet’s free phishing simulation test, a quick way to identify human vulnerabilities and strengthen your frontline defenses.

Editor's Note: This article was updated on June 1, 2026.