SOVA: A new Android Trojan that steals bank codes

An advanced Android Banking Trojan under active development

A new sophisticated Android bank trojan, called SOVA, has been detected causing great concerns to users and companies. Although the malware is still under active development, there are clear indications that this is an advanced system that poses a clear threat to any Android user.

SOVA (means owl in Russian) was first detected back in August by researchers at the Dutch cybersecurity company, ThreatFabric. The company has recently released a detailed report explaining the way SOVA operates and its numerous functions. Among others, once the malware takes control of an Android device can steal passwords and cookies, record keys that users press, and even manipulate notifications. By using SOVA a hacker obtains access to a user’s personal information such as bank passwords.

How does SOVA work

Following a common pattern used by banking Trojans, SOVA aims to create a login page identical to that of the bank, which is controlled by the hacker. When the user tries to access a banking application the sophisticated malware will display a WebView overlay posing as the intended banking application. This functionality provides hackers with access to valid logged-in sessions from Android users, without the need of knowing the banking credentials.

“The trojan is currently in development and testing phase and has the objective to add to his overlay and keylogging mechanisms, other highly dangerous features like DDoS and Ransomware in future versions” ThreatFabric underlined on its September’s report. “Regardless, this malware is still in its infancy and it is undergoing a testing phase at the time of writing, prospecting serious and worrying plans for the near future. This observation is confirmed by a message from its author(s) posted on hacking forums”.

Available for trial

SOVA is still in its primitive stages, although its “developers” publicly advertise the malware for trial on hacking forums. This is an attempt to improve trojan’s functionalities, target a broad number of financial firms and test SOVA on a considerable variety of Android devices. Meanwhile, the developers behind this Android banking trojan have also released a clear roadmap of future features to be implemented in the malware. The roadmap includes automatic 3 stage overlay injections, automatic cookie injections, clipboard manipulation, Ransomware (with overlay for card number), Man in the Middle (MitM), normal push notifications, and many others.

During the pandemic, a historic increase in mobile payment usage has been recorded. Hackers are following this massive shift to mobile banking and in 2020 and 2021 there was an explosion of Android banking trojan.

According to ThreatFabric, “SOVA – a new sophisticated malware – is the clear example of this trend. It is still a project in its infancy and now provides the same basic features as most other modern Android banking malware. However, the author behind this bot has high expectations for his product, and this is demonstrated by the author’s dedication to testing SOVA with third parties, as well as by SOVA’s explicit feature roadmap”. As the Dutch cybersecurity company explains, if the proactive developers of this new Android trojan manage to enrich its features with those described in their roadmap, SOVA is likely to become the most feature-rich Android malware on the market and the ‘new norm’ for Android banking trojan targeting financial firms.

George Mavridis is a freelance journalist and writer based in Greece. His work primarily covers tech, innovation, social media, digital communication, and politics. He graduated from the Aristotle University of Thessaloniki with a BA in Journalism and Mass Communication. Also, he holds an MA in Media and Communication Studies from the Malmö University of Sweden and an MA in Digital Humanities from the Linnaeus University of Sweden.