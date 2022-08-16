The SOVA banking trojan Android continues to be actively developed with updated features to target no fewer than 200 mobile applications, including banking, cryptocurrency exchanges and digital wallets, compared to the 90 applications it was originally designed for.

This, according to the latest findings from the Italian cybersecurity firm Cleafy, which found that the latest versions of the malware’s functionality to intercept two-factor authentication codes (2FA), steal cookies and expand to Australia, Brazil, China, India , Philippines and United Kingdom.

What is this Android SOVA malware, where did it come from and what it combines

SOVA, which means owl in Russian, was born in September 2021 to target financial and shopping programs from the United States and Spain, for the collection of credentials through overlay attacks using the accessibility services of Android.

The reason why it was born is quite intuitive: first of all stealing personal data (nothing new under the sun), second for steal money, from bank accounts, both real and cryptocurrency.

In less than a year, the trojan also acted as a base for another piece of malware Android called MaliBotdesigned to target online banking customers and cryptocurrency wallets (so-called Wallets) in Spain and Italy.

The latest variant of SOVA, dubbed v4 by Cleafy, hides inside fake apps (for a change) that feature logos of legitimate apps like Amazon and Google Chrome to trick users into installing them. Other noteworthy improvements include screen capture and device screen recording.

“These features, combined with the Accessibility services, allow [ai malintenzionati] to run applications and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (eg. Oscorp or BRATA)“, Argue i Cleafy researchers Francesco Iubatti and Federico Valentino.

SOVA v4 also known for its ability to rip sensitive information from Binance And Trust Walletsuch as account balances and security questions.

Additionally, 13 Russian and Ukrainian-based banking applications that have been targeted by the malware have since been removed from the latest version of the malware for Android.

To make matters worse, this malware update allows it to take advantage of wide-ranging permissions to deflect attempts to uninstall it by redirecting the victim to the home screen and displaying the message “This app is protected” (“This app is secured “, in English).

The banking trojan, as it is already rich in these “features”, could in the future also incorporate a ransomware component in the next version, which is currently under development and aims to encrypt all files stored on the infected device using AES and rename them with the extension “.ecc”.

The improvement is likely to make SOVA a formidable malware in the Android threat landscape.

“The ransomware feature is quite interesting as it is not yet common in the Android banking Trojan landscape“Said the researchers.

“Make great use of the large presence [di dispositivi Android] emerged in recent years, as mobile devices are used by most people for data storage [di terze parti, tipo PDF, file scaricati, etc]for personal and business data“.

If you catch Android SOVA malware, what should you do?

As written in the previous paragraph, malware is especially threatening on bogus applications: you don’t have to download them for any reason in the world.

So beware of sites that have deceptive graphics.

In the event that SOVA, this malware for Android, should evolve also becoming ramsomware, you can always use Malwarebytes (or other anti-malware for Android: there are many).

But one thing must be said: once the ransomware (which means “ransom malware”, to understand) has made the files “incomprehensible” through encryption, it will hardly come back even after the full scan and even if you pay the ransom.

It is therefore a good idea to do a regular backup of your data, possibly on external media (SD card, external hard drive, USB stick).