SOVA Android Banking Trojan emerges extra highly effective with new capabilities | Giga Tech

SOVA is an Android banking Trojan with important capabilities like stealing credentials, capturing keystrokes, taking screenshots, and so forth., which might inflict severe injury on gadgets that fall sufferer to this malware . This malware has been on the market on the underground market since final yr and is suspected to have been bought by some criminals to gather important info from unsuspecting customers. His creators gave him the title Sova in an underground discussion board.

Since final yr, SOVA has been concentrating on Russian and Philippine banks. Since its inception, we’ve seen its three variations the place it had 2FA interception, cookie stealing, and injection capabilities. These variations can steal session credentials and cookies by way of overlay assaults, keylogging, notification hiding, and clipboard manipulation to insert modified cryptocurrency pockets addresses.

SOVA is predicated on the Retrofit open supply challenge for its communication with the C2 server.

Within the newest model that we’ve seen just lately, SOVA malware appears to have developed with some new options:-

• You possibly can click on on the display, swipe and replica/paste remotely by instructions, i.e. the newest model has VNC (Digital Community Computing) functionality.
• Ransomware capabilities to encrypt recordsdata.
• Means to show an overlay display in different purposes.
• Contact a C2 server to filter an inventory of put in purposes.
• It targets crypto wallets just like the Binance trade and Belief Pockets.
• Steal cookies and keylogging.
• Intercepts multi-factor authentication (MFA) tokens.

This newest model of SOVA mimics the Amazon and Google Chrome icons to trick customers into downloading. At launch time, it asks for accessibility permission and forces the person to permit it.

Fig.1 Malware app house display

SOVA model IOC with Fast Heal detections:

SOVA model	MD5	detection title
V1 (2021)	03f51334546586d0b56ee81d3df9fd7a	Android.ScytheSCF.QJ
V2 (2021)	1698651d6b8fd95574f62b046b4f68e5	Android.Agent.GEN45035
V3 (2021)	b1101bb941285fc54a21c271ee7bf60e	Android.Agent.A65a4
V4 (2022)	0533968891354ac78b45c486600a7890	Android.Agent.GEN50857
V4 (2022)	ca559118f4605b0316a13b8cfa321f65	Android.Agent.Ad536
V5 (2022)	74b8956dc35fd8a5eb2f7a5d313e60ca	Android.HqwarSCF.EH

Fast Heal customers are already protected towards such threats, together with the SOVA variations talked about above.

Fig.2 Fast Heal Detecting malware purposes

TIPS TO STAY SAFE

• Obtain apps solely from trusted sources like Google Play Retailer.
• Don’t click on on any hyperlinks acquired by way of messages or different social media platforms, as they could deliberately or inadvertently level you to malicious websites.
• Please learn the pop-up messages you obtain from the Android system earlier than accepting/permitting new permissions.
• Malware authors spoof the names, icons, and developer names of the unique apps. Due to this fact, be very cautious in regards to the purposes you obtain in your telephone.
• All the time use antivirus like “Fast Heal Cell Safety for Android” for higher telephone safety. A dependable antivirus will mitigate all such threats and shield you from downloading malicious apps in your cell machine.

CONCLUSION:

As illustrated above, banking malware makes use of new methods to lure customers by way of reputable utility icons. These Trojans may cause quite a lot of injury to contaminated gadgets and are offered on underground markets. They have a tendency to unfold by way of smishing and phishing assaults. Customers needs to be conscious and never obtain and set up purposes from untrustworthy sources.

Expert

Mane Digvijay

akshay singla