The Android banking Trojan SOVA has been spotted in the wild again and appears to have new features.
The news comes from Cleafy’s security researchers, who shared the findings in an advisory on Thursday.
The document explains how SOVA was first spotted in September 2021, when its developers posted a roadmap of future updates on the dark web saying the malware was entering the market, despite still being under testing.
In the following months, Cleafy spotted various versions of SOVA, some of which implemented certain features mentioned in the malware’s 2021 development roadmap.
These included two-factor authentication (2FA) interception, cookie stealing and injections for new targets and countries (e.g. multiple Philippine banks).
Then, in July 2022, Cleafy spotted a new version of SOVA (v4), which the security firm is now detailing in its latest advisory.
SOVA v4 features new capabilities and is reportedly targeting more than 200 mobile applications (against the original 90 in 2021), including banking apps and crypto exchanges/wallets such as Binance.
“The most interesting part is related to the [Virtual Network Computing] capability,” Cleafy wrote. “This feature has been in the SOVA roadmap since September 2021 and that is one strong evidence that threat actors are constantly updating the malware with new features and capabilities.”
Additionally, the malware’s latest version can also obtain screenshots from the infected devices, record and perform gestures and manage multiple commands.
In SOVA v4, the cookie stealer mechanism was further refactored and improved to specify a a comprehensive list of targeted Google services, alongside a list of other applications. Further, the updated malware can now protect itself by intercepting actions aimed at uninstalling its app.
In the same advisory, Cleafy also claimed to have spotted some instance of yet another variant of SOVA. The v5 of the malware shows a further refactoring of the code, the addition of new features and some small changes in the communications between the malware and the command-and-control (C2) server.
More specifically, SOVA v5 lacks the VNC module, but it instead features ransomware capabilities.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape,” Cleafy wrote.
“It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data."