[Warning]: Sova - new Android banking + crypto wallets trojan

[cryptomaniac_xxx]

Another new trojan was discovered recently, dubbed as SOVA - which is a Russian word for "Owl". It stand out from other Android malware/trojan is that it is a session cookie theft. What makes it dangerous is that the criminals can now have access to valid logged in sessions without needing your banking credentials.

Functionalities of the bot, as advertised by its authors, include:
Steal Device Data.
Send SMS.
Overlay and Cookie injection.
Overlay and Cookie injection via Push notification.
USSD execution.
Credit Card overlays with validity check.
Hidden interception for SMS.
Hidden interception for Notifications.
Keylogger.
Uninstallation of the app.
Resilience from uninstallation from victims.

screenshot of VirusTotal:

Clipper & Cryptocurreny wallets

Another feature that is incorporated in S.O.V.A., that we observed in other malware like Medusa, is the ability of altering the data in the system clipboard. The bot sets up an event listener, designed to notify the malware whenever some new data is saved in the clipboard. If the string of data is potentially a cryptocurrency wallet address, S.O.V.A. substitutes it with a valid address for the corresponding cryptocurrency.

The supported cryptocurrencies are Bitcoin, Ethereum, Binance coin, and TRON. The relative addresses can be found in the IOC section.

The good thing though is that no one has fallen victims so far, but who knows, maybe when it goes and scattered in the wild victims are going to come out.



You can read it here: https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html

[1714957997]

1714957997

[1714957997]

1714957997

[1714957997]

1714957997

[1714957997]

1714957997

[1714957997]

1714957997

[1714957997]

1714957997

[DdmrDdmr]

The BTC address shown in the article has TXs dating back from March 2021, being the most recent from July 2021, so with a bit of luck it’s not too active/lucky on the crypto front (maybe so on the banking area).
 
The address has TXs from months before the SOVA was detected, which can be read in many ways (it could have gone undetected for months, it could be an address used on prior similar software, and so forth).

According to the article, amongst other features, SOVA substitutes crypto addresses for their own through clipboard hijacking. It probably has the capability to steal crypto site’s passwords (there are some mentions to Coinbase, Local Bitcoins and Delta portfolio tracker).

[Yaunfitda]

^ Yah, as this is a mutating malware, it could possibly read any crypto related activities, passwords, accounts to exchanges or wallets and then steal our passwords.

And maybe they have improved other malware capabilities like Medusa that's why this is really very dangerous if you get infected by this android malware.

[bL4nkcode]

Interesting development of this trojan, didn't expect it could be explained as detailed such this. While it's a threat/malware, such bot will probably a good help in detecting various user's action in a different way, only if will be used for good, but that's not the case here.

I wonder if the latest android patch have this malware recorded already so it will be easily detected and will avoided too.

[Baofeng]

I wonder if the latest android patch have this malware recorded already so it will be easily detected and will avoided too.

I'm not really sure though, most of the time, they are late on releasing the patch, the malware authors could have make money already before they can take actions. And the the cat and mouse game continue, they patch it, threat actors released a new version of the malware and trojan. Maybe in the next version, we might see more crypto being targeted as well and then improved it a bit to not get detected easily by malware hunters.