Sova malware adds new features that make it more dangerous to a wider range of Android payment and banking app users.
The Sova Android banking malware first appeared for sale in underground markets in September last year, with its author stating that it was still under development. It has the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps.
With the latest release, the SOVA malware now targets over 200 banking, cryptocurrency exchange, and digital wallet applications, attempting to steal sensitive user data and cookies from them.
The malware sends a list of installed applications to the C2 and receives an XML containing a list of addresses that point to the correct overlays to be loaded when the victim opens a targeted app.
The fourth major version also added support for commands such as taking screenshots, performing clicks and swipes, copying and pasting files, and serving overlay screens at will.
This release also saw a significant code refactoring in the cookie stealer mechanism, now targeting Gmail, GPay, and Google Password Manager.
SOVA v4 added some protections against defensive actions, abusing Accessibility permissions to push the user back to the home screen if they attempt to uninstall the app manually.
Finally, the fourth version focused on Binance and the platform’s ‘Trust Wallet’ app, using a dedicated module created to steal the user’s secret seed phrase.
In the same advisory, Cleafy also claimed to have spotted some instance of yet another variant of SOVA. The v5 of the malware shows a further refactoring of the code, the addition of new features and some small changes in the communications between the malware and the command-and-control (C2) server.
|ca559118f4605b0316a13b8cfa321f65||SOVA v4 without CIS regions|
|socrersutagans.]site||C2 of SOVA v4|
|omainwpatnlfq.]site||Server used to display fake website of targeted app|
|satandemantenimiento.com||C2 of SOVA v5|
|http://wecrvtbyutrcewwretyntrverfd.xyz||C2 of SOVA v5|