An updated version of the Russian-linked SOVA Android Trojan is back with updated attack techniques targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Researchers at Cleafy uncovered that the Trojan now also features ransomware capabilities.
First discovered in September 2021, SOVA is the Russian word for “owl” – a designation apparently chosen by the malware’s creator, shows earlier research by Threat Fabric. The Trojan was announced in a known underground forum and had multiple capabilities even during its initial development stage.
Until March 2022, researchers at Cleafy identified multiple versions of the Trojan, with capabilities like 2FA interception, cookie stealing and injections for new targets including Philippine banks.
While investigating SOVA v4, researchers say they stumbled upon a possible SOVA v5.
During analyzing the code of the malware, researchers observed a massive refactoring of SOVA V4’s code, with the addition of new features and changes in the communications between the malware and the command and control server.
Although there are several changes, the most interesting feature they uncovered is the presence of a ransomware module. They observed that threat actors are trying to encrypt the files inside the infected devices using the AES algorithm and using “.enc” extension.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking Trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data,” researchers say.
Cleafy researchers observed threat actors behind the Trojan started hiding the Trojan with fake Android applications that were using the logo of Chrome, Amazon, NFT platform or others.
The SOVA v4 threat actors are able to obtain screenshots of the infected devices to retrieve more information from the victims and are capable of recording and obtaining sensitive information.
Features like these when combined with the Accessibility services, researchers say, enable threat actors to perform gestures and consequently fraudulent activities from the infected device.
“With SOVA v4, [Threat actors] are able to manage multiple commands, such as: screen click, swipe, copy/paste and the capability to show an overlay screen to hide the screen to the victim,” researchers say.
They also observe that multiple log information is still sent back to the command and control, as in its previous version, which indicates that the Trojan is still under development process with new features and capabilities. But the latest use of its new VNC feature sets it apart from the previous versions. VNC is typically used for local computers and mobile devices you want to remotely control.
In addition, the updated Trojan also contains a refactored and improved cookie stealer mechanism, where threat actors have specified a comprehensive list of Google services like Gmail, GPay and Google Password Manager that they are interested to steal and a list of other applications.
“For each of the stolen cookies, SOVA will also collect additional information such as “is httpOnly”, its expiration date, etc,” researchers say.
The other Trojan capabilities include the refactoring of its “protections” module that defends the Trojan from different victims’ actions. Whenever a user attempts to uninstall the malware from the settings, the updated SOVA Trojan intercepts these actions and prevents them by abusing the Accessibilities function and returns with a home screen popup showing that the app is secured.
“The capability itself isn’t that sophisticated, but that they are doing it adds a new level of complexity and possible subverting of other security controls to enable the Trojan controller to bypass security barriers that are supposed to prevent compromise,” says Chris Pritchard, an adversarial engineer at Colorado-based information security consulting firm LARES Consulting.
Pritchard says that the developers responding quickly to development requests suggests that they will become more sophisticated.
“Suppose a mobile banking application prevents screenshots, for example, as a security control. In that case, it appears the Trojan authors will quickly make improvements to develop other methods of getting the information and detail they need to continue their goals,” Pritchard says.
Researchers say that the latest Trojan version uses the .apk to unpack a .dex file that contains the real malicious functionalities, whereas, in the previous version the .dex file was stored inside the directory of the app, “while in the current version it uses a device’s shared storage directory (“Android/obb/”) to store it.”
They also observe an entire new module for Binance exchange and the Trust Wallet, official crypto wallet for Binance.
“[Threat Actors] aim to obtain different information, like the balance of the account, different actions performed by the victim inside the app and, finally, even the seed phrase (a collection of words) used to access the crypto wallet,” researchers say.