[MART] - Daily Diary #574 - SOVA Android Trojan Evolves

ctas-mat at appgate.com ctas-mat at appgate.com
Mon Aug 15 23:36:21 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/15/2022 - Diary entry #574:

Almost a year ago, we covered in our Daily Diary #348, SOVA, a new Android banking trojan under active development and testing phases. SOVA has the ability to steal credentials and session cookies through overlay attacks, enable a keylogging functionality, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses.

As announced in an underground forum in September 2021, the group behind SOVA included a roadmap to implement more functionalities, such as 2FA interception, VNC, DDoS, Ransomware (with overlay for card number), and other capabilities.

Most recently in July 2022, new versions (under development) of SOVA were discovered targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets from many countries. Moreover, SOVA was updated with some of the capabilities described on the roadmap such as a Ransomware module, 2FA interception, cookie stealing, and injections for new targets.

SOVA is yet another example of a complex malware being developed under the Malware as a Service business model. By announcing and following a roadmap, the cybercrime group behind it creates more credibility, associating their criminal activities with a regular software development workflow. We believe, that after their "product" is finished, SOVA will become a dangerous MaaS threat.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220815/b3967fda/attachment.htm>

More information about the MART mailing list