KEEPNET LABS > Blog > SOVA Android Banking Malware Adds Ransomware Feature to Encrypt Files

SOVA Android Banking Malware Adds Ransomware Feature to Encrypt Files

The Android banking Trojan SOVA (“owl” in Russian) has been actively being developed since September 2021. Sova v4 malware is hidden in fake Android applications that are displayed with the logo of popular applications such as Chrome, Amazon, NFT platform, or others. SVA v4’s (Cleafy) cookie theft mechanism has been redesigned and improved. New module in SOVA v4 is dedicated to the Binance and Trust Wallet exchange (official Binance kriptokoshelku). Researchers say that Sova uses. apk just open the file.

SOVA Android Banking Malware Adds Ransomware Feature to Encrypt Files

The Android banking Trojan SOVA (“owl” in Russian) has been actively being developed since September 2021. Reports say that in March 2022, several versions of Sova were discovered and some of these features have already been implemented, including countries such as 2fa hacking, cookie theft and injections for new purposes, and several Filipino banks. For now, the Sova malware is back with updated capabilities and a new version in development that includes the ransomware module. “We have discovered a new version of Sova (v4) that offers new features and targets more than 200 mobile applications, including banking applications and cryptocurrencies /wallets,” the Cleafy researchers said. Spain seems to be the country most exposed to malware, followed by the Philippines and the United States. What’s new in Sova (v4)? Sova v4 malware is hidden in fake Android applications that are displayed with the logo of popular applications such as Chrome, Amazon, NFT platform, or others.

The main icons used by SOVA v4 (Cleafy) have also been updated with new codes related to the new version of VNC capabilities. Threat actors can take screenshots of infected devices to get more information from victims. In addition, malware can record and retrieve sensitive information. This allows the attacker to look for ways to switch to other systems or applications that may be more advantageous. In SOVA v4, SOVA v4’s (Cleafy) casting/writing function (Cleafy) cookie theft mechanism has been redesigned and improved. Here, the threat actors specify the full list of Google services (such as Gmail, GPay, and Google Password Manager) that they want to steal, as well as a list of other applications. In addition, for each of the stolen cookies, the SOVA, “is HttpOnly”, expiration date, etc. October may be displayed.

It will also collect October information such as. The next new feature in SOVA v4 is to reorganize the “protection” module, which is designed to protect against the actions of various victims. Comparing the Decode “Protection” between SOVA v3 and v4 (Cleafy), the researchers say that Sova uses. apk just open the file. Dex, contains the actual malicious features of the malware. A brand new module in SOVA v4 is dedicated to the Binance and Trust Wallet exchange (official Binance kriptokoshelku). In particular, threat actors are aimed at obtaining information such as the account balance, various actions performed by the victim in the application, and, finally, the initial phrase (set of words) used to access the cryptocurrency.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.