SOVA, a Dangerously Sophisticated Android Trojan, Takes to the Air

SOVA, a Dangerously Sophisticated Android Trojan, Takes to the Air

A new Android banking trojan named SOVA (“owl” in Russian) is under active development, researchers said, and it has big dreams even in its infancy stage. The malware is looking to incorporate distributed denial of service (DDoS), man in the middle (MiTM) and ransomware functionality into its arsenal – on top of existing banking overlay, notification manipulation and keylogging services.

The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it ‘the most feature-rich Android malware on the market.’

According to researchers from ThreatFabric, the malware’s authors are shooting for the moon on this one.

“This malware is still in its infancy and it is undergoing a testing phase…prospecting serious and worrying plans for the near future,” they said in a Friday analysis, noting that the malware’s roadmap is laid out in underground forum posts advertising its availability for testing.

“SOVA is…taking a page out of traditional desktop malware,” they added. “Including DDoS, man in the middle and ransomware to its arsenal could mean incredible damage to end users, in addition to the already very dangerous threat that overlay and keylogging attacks serve.”

The malware authors’ coding and development choices also speak to SOVA’s sophistication, the analysis showed.

“Regarding the development, SOVA also stands out for being fully developed in Kotlin, a coding language supported by Android and thought by many to be the future of Android development,” according to ThreatFabric. “If the author’s promises on future features are kept, SOVA could potentially be the most complete and advanced Android bot to be fully developed in Kotlin to this day.”

SOVA meanwhile relies on the legitimate open-source project known as RetroFit for its communication with the command-and-control (C2) server.

“Retrofit is a type-safe REST client for Android, Java and Kotlin developed by Square,” researchers said. “The library provides a powerful framework for authenticating and interacting with APIs and sending network requests with OkHttp.” Banking Trojan Features
SOVA is first and foremost a banking trojan, and its authors are applying innovation to this portion of its development too, researchers noted. For instance, SOVA doesn’t skimp on the more traditional banking front of overlay attacks.

Overlay attacks are a common tactic used by banking trojans, in which the malware replaces the screen that users see when they log into mobile banking with a copycat screen – thus harvesting any credentials the victim puts in. In SOVA’s case, the targets that it’s capable of imitating include banking applications, cryptocurrency wallets and shopping applications that require credit-card access to operate.

“According to the authors, there are already multiple overlays available for different banking institutions from the U.S. and Spain, but they offer the possibility of creating more in case of necessity from the buyer,” researchers noted. Also, version 2 contains functionality to target users of some Russian banks – drawing ire from other forum users, ThreatFabric reported. To better gather the victim’s credentials and other personally identifiable information (PII), SOVA is banking (so to speak) on Android’s Accessibility Services – also a traditional functionality.

“When it is started for the first time, the malware hides its app icon and abuses the Accessibility Services to obtain all the necessary permissions to operate properly,” researchers explained. Some of those permissions allow it to intercept for SMS messages and notifications for instance, to better hide from the victim – and on the roadmap is also the ability to circumvent two-factor authentication. SOVA already has one highly uncommon banking-trojan feature that stands out for Android malware, according to the analysis: The ability to steal session cookies, which allows the malware to piggyback on valid logged-in banking sessions, thus skirting the need to have banking credentials to access victim’s accounts.

“Cookies are a vital part of web functionality, which allow users to maintain open sessions on their browsers without having to re-input their credentials repeatedly,” researchers noted. “SOVA will create a WebView to open a legitimate web URL for the target application and steal the cookies once the victim successfully logs in…it is capable of stealing session cookies from major websites like Gmail or PayPal with ease.” In the newer version of SOVA, the cybercrooks also added the option to create a list of applications for which to monitor for cookies automatically.

The News Highlights

  • SOVA, a Dangerously Sophisticated Android Trojan, Takes to the Air
  • Check the latest update on Security news
  • .

Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more

For Latest News Follow us on Google News


Latest Headlines
  • Show all
  • Trending News
  • Popular By week
PlayStation State of Play Rumored to Take Place Next Week
PlayStation State of Play Rumored to Take Place Next Week
GamesRadar’s James Jarvis has said that there are rumors suggesting that the next PlayStation State of Play event will take place on Thursday, August 19. ...
Lithuanians are being urged to dispose of their Chinese phones
Lithuanians are being urged to dispose of their Chinese phones
A report by its National Cyber Security Centre tested 5G mobiles from Chinese manufacturers. Consumers should throw away their Chinese phones and avoid ...
Elledge was found at the scene of his wife’s remains, according to phone records and soil testing
Elledge was found at the scene of his wife’s remains, according to phone records and soil testing
Elledge was not in the courtroom Thursday, but his attorney was. He was asking a judge to delay trial once again, after he says there are more than 1,200 new ...
Bartomeu blames Laporta for Barcelona's poor financial management
LaVale fast food closed by fire | local news
LaVale Volunteer Fire Department directed the fire operation with assistance of numerous volunteer fire companies from Allegany and Mineral counties. ...
Samsung Is Not Partnering With Olympus For Galaxy S22 Series
Galaxy S22 rumors: Samsung’s new flagship could come in green and dark red
Samsung’s August 2021 Unpacked event excited us with two new foldable phones, the Galaxy Z Fold 3 and Z Flip 3, alongside the company’s latest smartwatch, ...
Federal Cybersecurity Officials want to take action on cyberattacks
Federal Cybersecurity Officials want to take action on cyberattacks
Meanwhile, the Senate Judiciary Committee advanced a bill to let state attorneys general choose the court to hear antitrust cases. The proposal advanced with ...
Shadowrun Trilogy launches for Nintendo Switch in 2022
Shadowrun Trilogy launches for Nintendo Switch in 2022
You will need to tread carefully, enlist the aid of other runners, and master powerful forces of technology and magic in order to emerge from the shadows of ...
Amazon ratings are somehow down to $17 but Bluetooth headphones with 32,000 5-star
Amazon ratings are somehow down to $17 but Bluetooth headphones with 32,000 5-star
Best-selling iJoy Matte Black over-ear Bluetooth headphones with about 32,000 5-star ratings and TOZO T6 True Wireless Earbuds with a whopping 106,000 5-star ...
Scottsdale workers must be trained to identify trafficking
Scottsdale workers must be trained to identify trafficking
The training will enable city employees “to spot these situations and could help save someone who is being exploited,” Scottsdale Mayor David D. Ortega said. ...
Forecast to 2028 for the U.S. mobile phone accessories market by manufacturers, regions, type, and application
Forecast to 2028 for the U.S. mobile phone accessories market by manufacturers, regions, type, and application
The U.S. mobile phone accessories market size is expected to reach from $29.10 Billion in 2018 to $75.62 Billion by 2026, growing at a CAGR of 13.6% from ...
Show next
Compsmag - Latest News from tech, business and health
Logo