The earliest version of the malware was able to — store usernames and passwords (via keylogging), steal cookies as well as add false overlays to various apps. But, now the malware has been upgraded to its fifth version and is capable of doing more things than the ones mentioned above. Initially, SOVA was focused on users of countries like — the US, Russia and Spain. In July 2022, the virus added many more nations (including India) to its list of targets.
SOVA Android Trojan: How does it work
The newest version of the malware can hide within fake Android apps that carry the logo of some authentic apps like — Google Chrome, Amazon, NFT platforms and others to dupe users into installing them. Whenever the victims log into their net banking apps or access their bank accounts with compromised devices, this malware can steal the credentials of the user without notifying them. The latest version of SOVA is reportedly targeting over 200 mobile apps which include banking apps and crypto exchanges/wallets.
Like most Android banking Trojans, this malware is mainly distributed through phishing via SMS campaigns (also known as smishing attacks). Whenever any user installs one of these fake Android apps, the malware sends a list of the apps that are already present on the device to its command and control (C2) server which is managed by cybercriminals. This list sent by the malware helps the attacker to determine the apps that can be targeted.
Then, the C2 server sends the list of addresses of each targeted app back to the malware and stores the information inside an XML file. These targeted apps then behave according to the commands set between the malware and the C2 server. The malware’s list of abilities includes collecting keystrokes, stealing cookies, intercepting MFA tokens, taking screenshots, recording videos and mimicking more than 200 banking/payment apps among others.
How the malware has evolved over time
As mentioned above, the makers of the SOVA Android trojan have already upgraded the malware to its fifth version which is capable of encrypting all data on an Android device and holding it for ransom.
The latest version of SOVA can also protect itself from various actions of the user. For example, if a victim tries to uninstall the malware either from settings or by long pressing the icon, the malware will intercept these actions and will send the user back to the home screen to prevent them from deleting it. When tried to uninstall, the malware also displays a pop-up message that reads — “This app is secured”.