There is a new entry in the Android Trojan world – SOVA. It is a banking Trojan that aims at banking apps, shopping apps, and cryptocurrency wallets. The current targets of this Trojan are Android users from the United States and Spain.
ThreatFabric initially discovered SOVA in early August. Its authors have crafted it to steal banking credentials and personally identifiable information of users. Here are the main highlights about this malware:
- At present, this Trojan is still in the early developmental phase. It has, however, been advertised on hacker networks as an opportunity for malware testers.
- SOVA depends heavily on Accessibility Services to get all the necessary permissions to operate smoothly on compromised devices.
- Web overlay attacks, notification concealing, keystroke logging, and controlling the clipboard to insert altered bitcoin wallet addresses are its main features.
The creators of this banking Trojan have already published a detailed blueprint of features to include in the future versions of SOVA. Some of the highlights are:
- Automatic 3-stage overlay and cookie injections, DDoS, MitM, clipboard manipulation, regular push notifications, enhanced panel health, and intercepting 2FA (two-factor authentication) codes are just a few of the forthcoming features.
- The features promised to be a part of future versions are pretty advanced. They’ll supposedly increase the ransomware spread.
- With the inclusion of DDoS, it’ll gain automated botnet abilities and might become one of the most dangerous banking malware.
Despite being in the early stages, SOVA is extensively marketed on hacking forums. The malware’s creators have high aspirations, which is why they’ve distributed it to third parties to test. SOVA is not yet one of the official banking Trojans that target financial firms, meaning security teams should act immediately and develop a risk-based mobile security approach.
