An Android Trojan has been recently discovered by security experts and, it could enable the threat actors to steals all the personally identifiable data from infected devices, which also include bank credentials, and open the door to perform fraud.
This trojan is a combination of banking apps, cryptocurrency wallets, and shopping apps and it is currently targetting the US and Spain.
This new Android Banking malware is dubbed as SOVA, and this version of banking malware has myriad features specifically made for:-
- Stealing credentials
- Session cookies through web overlay attacks
- Logging keystrokes
- Hiding notifications
- Managing the clipboard so that they can insert modified cryptocurrency wallet addresses
Moreover, it also has future plans to install fraud on the device through VNC, carry out DDoS attacks, deploy ransomware, and even appropriate two-factor authentication codes.
Functionalities of the bot
This Trojan has come up with some specific functionalities, that we have mentioned below:-
- Steal Device Data
- Send SMS
- Overlay and Cookie injection
- Overlay and Cookie injection through Push notification
- USSD execution
- Credit Card overlays with validity check
- Hidden interception for SMS
- Hidden interception for Notifications
- Keylogger
- Uninstallation of the app
- Resilience from uninstallation from victims
Detailed Roadmap of the Features
The threat actors that are conducting this bot are quite proactive in nature, and that’s why they have released a detailed roadmap of the features that were being included in the future releases of S.O.V.A.:-
- Automatic 3 stage overlay injections
- Automatic cookie injections
- Clipboard manipulation
- DDoS
- Improved Panel Health
- Ransomware (with overlay for card number)
- Man in the Middle (MitM)
- Normal Push notifications
- More overlays
- VNC
- 2FA interception
Commands list
In this bot, there is a list of commands that can be sent by the C2 to the bot:-
| Command | Description |
| startddos | Start DDoS service |
| stealer | Steal session cookie of a specific app |
| hidensms | Hide received SMS |
| starthidenpush | Hide push notifications |
| delbot | Delete the bot from the device |
| getlog | Send key logged data |
| startkeylog | Clears key logged data |
| scaninject | Adds new injects to injects list |
| stopkeylog | Same as startkeylog |
| openinject | Open WebView with link provided |
| stophidenpush | Stop hiding push notifications |
| sendpush | Display Push notification to start WebView Injection |
| stophidensms | Stops hiding received SMS |
| stopddos | Stop DDoS service |
| stopscan | Stops injects |
| stealerpush | Same as sendpush |
| sendsms | Send SMS |
| scancookie | Adds package to cookie stealing list (v2) |
| stopcookie | Removes package names from cookie stealing list (v2) |
Abilities
This bot has also some special as well as interesting capabilities that we have mentioned below:-
- Overlay Attack
- Session Stealer
- DDoS
- Clipper & Cryptocurrency wallets
C2 Communication
Generally, the S.O.V.A. malware depends upon the open-source project of RetroFit for having all kinds of communication with the C2 server. Retrofit is a type-safe REST client that is specifically made for Android, Java, and Kotlin developed by Square.
However, it has a huge library that implements a powerful framework for further authentication as well as for interacting with APIs and sending network requests along with OkHttp.
While this year the experts asserted that the trojan malware is attacking and implementing their operation randomly. But, S.O.V.A. is one of the very new sophisticated malware and it is being used by the threat actors often.
For these reasons the security analysts claimed that this malware is quite dangerous in nature, hence, the victims need to keep themselves safe from this kind of trojan attack.
Found this article interesting!! Follow us on Linkedin, Twitter, Facebook for daily Cyber Security News & Updates
