SOVA malware adds ransomware feature to encrypt Android devices

Home/malicious cyber actors, Malicious extension, Malware, Mobile Security, Ransomware, Security Advisory, Security Update/SOVA malware adds ransomware feature to encrypt Android devices

SOVA malware adds ransomware feature to encrypt Android devices

Sova malware adds new features that make it more dangerous to a wider range of Android payment and banking app users.

SOVA Malware

The Sova Android banking malware first appeared for sale in underground markets in September last year, with its author stating that it was still under development. It has the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps.

With the latest release, the SOVA malware now targets over 200 banking, cryptocurrency exchange, and digital wallet applications, attempting to steal sensitive user data and cookies from them.

The malware sends a list of installed applications to the C2 and receives an XML containing a list of addresses that point to the correct overlays to be loaded when the victim opens a targeted app.

The fourth major version also added support for commands such as taking screenshots, performing clicks and swipes, copying and pasting files, and serving overlay screens at will.

This release also saw a significant code refactoring in the cookie stealer mechanism, now targeting Gmail, GPay, and Google Password Manager.

SOVA v4 added some protections against defensive actions, abusing Accessibility permissions to push the user back to the home screen if they attempt to uninstall the app manually.

Finally, the fourth version focused on Binance and the platform’s ‘Trust Wallet’ app, using a dedicated module created to steal the user’s secret seed phrase.

Ransomware Release

In the same advisory, Cleafy also claimed to have spotted some instance of yet another variant of SOVA. The v5 of the malware shows a further refactoring of the code, the addition of new features and some small changes in the communications between the malware and the command-and-control (C2) server.


0533968891354ac78b45c486600a7890SOVA v4
ca559118f4605b0316a13b8cfa321f65SOVA v4 without CIS regions
socrersutagans.]siteC2 of SOVA v4
omainwpatnlfq.]siteServer used to display fake website of targeted app
74b8956dc35fd8a5eb2f7a5d313e60caSOVA v5
satandemantenimiento.comC2 of SOVA v5
http://wecrvtbyutrcewwretyntrverfd.xyzC2 of SOVA v5

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!