The Android banking Trojan SOVA has returned with improved functionality, and a brand-new version with a ransomware module is now being created.
Researchers at Cleafy, who saw the resurgence of SOVA, believe that Version 4 of SOVA targets more than 200 mobile applications, including banking apps and cryptocurrency exchanges/wallets. After the US and the Philippines, Spain appears to be the country that the malware is targeting most frequently.
The SOVA v4 virus is included in fake Android applications that bear the logos of well-known services like Chrome and Amazon. The most recent version includes a refactored and improved cookie-stealer approach that can now specify a list of targeted Google services and other applications. The update also gives the malware the ability to protect itself by detecting and preventing users’ attempts to uninstall the program.
The command-and-control (C2) interface in more current SOVA versions also allows attackers to seize control of specified targets. This increases the malware’s ability to adjust to a variety of attack scenarios. It also has tools that enable attackers to record instructions, capture screenshots, and run them. An attacker now has the chance to look for opportunities to switch to possibly more valuable systems or applications.
“The most fascinating component is connected to the [virtual network computing] capabilities,” the report claims. The fact that threat actors have been adding new features and functionalities to the malware since September 2021 is strong evidence that they are doing so. This capacity has been on the SOVA roadmap since that time.
Additionally, the Cleafy team found evidence that malware version 5, which will include a ransomware module that was first indicated in a September 2021 development plan, is currently under development.
