SOVA – New Android Banking Trojan | Techy Kings


How many people know about the new mobile banking “Trojan Virus -SOVA” that allows hackers to access legitimate login sessions from customers without knowing banking credentials? It used to focus on countries like the US, Russia and Spain, but in July 2022 it added more countries, including India.

A new type of banking trojan known as SOVA virus was discovered in September 2021. This trojan was revealed on a hacking forum.


This variant of the virus is coming in March 2022. This updated version has features like 2FA bypass and session cookie theft. Threat researchers in July 2022 discovered a new version (v4) of the SOVA malware targeting more than 200 mobile apps, including banking and cryptocurrency trading apps. The malicious actor behind the SOVA banking trojan started distributing a new version of this banking trojan in May 2022. This version of the SOVA malware may hide itself under a well-known Android app, like the one we tested, which is a fake Chrome app add-on to a fake Chrome app that can also trick apps like Amazon. Additionally, warnings about the Android malware Trojan known as SOVA have started being distributed to users by SBI, PNB and Canara Bank.

How does this malware spread and operate?

By means of SMS phishing attacks, this malware is spread. The trojan program begins gathering a list of installed applications and sends them to its command and control server as soon as they are available.

This Android virus can capture screenshots, log keystrokes, steal cookies and credentials, and more. By using android accessibility services, this banking malware can swipe and click the screen like gestures, which makes it unique.

SOVA – New Android Banking Trojan

The creator of the Sova Android trojan also provides its fifth version, which can encrypt all the data on the Android phone. By abusing accessibility features, Android banking trojans also make it impossible to remove them from Android devices.

Technical analysis of APK permissions

We ran a static analysis of this APK to see what permissions the SOVA Android malware needs. The analysis reveals that this application is granted permission for almost everything. The following lists some permits.

uses-permission android:name=”android.permission.READ_SMS”/>









Let’s try to understand the above truth one by one. We will see the permissions this app receives when you run it.

  1. Android. truth READ_ SMS: This permission allows the app to read SMS stored on your phone.
  2. Android. truth READ_ PHONE_ NUMBERS: As you can guess by the name permission this permission allows the app to read your contact numbers stored on your phone.
  3. SYSTEM_ALERT_WINDOW: This allows apps to draw on top of other apps. This is the permission that this banking trojan uses to interfere with your use of other apps.
  4. WRITE_EXTERNAL_STORAGE: The Sova banking Trojan uses these permissions to modify or delete or save content on your phone storage or SD card.
  5. Android. truth WRITE_CONTACTS: Allows apps to modify data about your contacts stored on your phone, including how often you call, email, or otherwise communicate with certain contacts. This permission allows the app to delete contact data.
  6. Android. truth REORDER_TASKS: Allows apps to move tasks to foreground and background. The app may do this without your input.
  7. Android. truth CHANGE_WIFI_STATE: Allows apps to connect and disconnect from Wi-Fi access points and make changes to device configuration for Wi-Fi networks.
  8. Android. truth REQUEST_INSTALL_PACKAGES: Allows apps to request package installation.
  9. Android. truth DISABLE_KEYGUARD: Allows the app to disable the key lock and any associated password security. For example, the phone disables the key lock when receiving an incoming phone call, then re-enables the key lock when the call ends.


This malware is granted many permissions, including the ability to read, send and receive SMS, as well as the ability to read, write and read phone numbers. get permission to launch stack attacks when certain apps, usually bank apps, are launched. These permissions include QUERY ALL PACKAGES, REQUEST INSTALL PACKAGES, INSTALL PACKAGES and REQUEST DELETE PACKAGES. They also include obtaining permission to access the victim’s phone location using FINE LOCATION ACCESS, COARSE LOCATION ACCESS and ACCESS.

Other permissions, such as REMOVE KEYGUARD, which temporarily disables the phone lock while a program is in use Switch tasks between foreground and background using the app’s CUSTOM TASKS feature. AUDIO RECORD the application’s ability to record audio, and CALL PHONE allows calls to be made by the application without using a dialer user interface. PERMISSIONS MANAGE OVERLAY ACTIONS limiting programs that can draw on top of other apps reduces the threat of overlays. RECEIVE BOOT COMPLETED will notify you when the system has finished booting.

There is a service called Send Headless Sms Service that uses SEND_RESPOND_VIA_MESSAGE that allows Android trojans to send requests to other messaging apps to handle response-via-message events for incoming calls.

A compromise indicator

Here is the IoC to track this Banking Trojan App

File type: .apk

File Hash:

  • apk: 74b8956dc35fd8a5eb2f7a5d313e60ca, 0533968891354ac78b45c486600a7890, ca559118f4605b0316a13b8cfa321f65
  • C2 Server: socrersutagans[.]site, Omainwpatnlfq[.]site, Satandemantenimiento[.]com wecrvtbyutrcewwretyntrverfd[.]xyz

How to patch with SOVA Malware?

Cyber ​​security professionals must use smart cyber security solutions to keep up to date with changes and enhancements due to the constant advancements made to SOVA malware every few months.

To keep users safe from malware, CERT-In provides several preventative measures and suggested practices. critical, Cert-In Empaneled company, making operating a secure mobile payment business easier than ever. Financial institutions can develop a risk-based mobile security plan using the most up-to-date threat intelligence for mobile banking, and they can use this special information to quickly identify malware-based fraud on customers’ mobile devices. We are developing user-friendly information systems with the help of our customers and partners to combat the increasing threat of mobile malware targeting the financial industry.

If you are interested in learning more about how we identify mobile malware on mobile devices, you can contact us directly.

The post SOVA – New Android Banking Trojan appeared first on Kratikal Blog.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blog authored by Deepti Sachdeva. Read the original post at:


Source link