Reading Time: 2 minutes
SOVA – new Android banking trojan is targeting a number of banking applications, cryptocurrency wallets, and shopping apps from the US and Spain. The latest banking trojan also keeps getting powerful as the attackers are able to collect personal information from infected devices. This includes the banking credentials and opens the door for on-device fraud.
SOVA literally means owl in Russia, the current version of the banking trojan comes with myriad features. This enables it to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses. Looking at its growing capabilities the trojan will in the future be able to carry out on-device fraud through VNC, carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes.
Researchers at ThreatFabric, a cybersecurity firm based in Amsterdam discovered the banking trojan at the beginning of August 2021. They discovered the overlay attacks carried out by bad actors stole confidential user information using malware that overlays its own windows on top of another program. The criminals are also able to log in and take over accounts from the user without the need of having their banking credentials by pilfering valid session cookies, this is pretty nasty.
ThreatFabric in a blog post said, “The second set of features, added in the future developments, are very advanced and would push S.O.V.A. into a different realm for Android malware, making it potentially one of the most advanced bots in circulation, combining banking malware with automation and botnet capabilities.”The malware is currently in its developing stages, though the developers of SOVA are promoting the product on numerous hacking forums looking to recruit testers to run trials on large numbers of devices and its bot capabilities. The forum post read, “Not redistribution of Cerberus/Anubis, the bot is written from scratch.”