Updated Android Trojan Features Ransomware CapabilitiesTrojan Targets More Than 200 Mobile Banking Applications
An updated version of the Russian-linked SOVA Android Trojan is back with updated attack techniques targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Researchers at Cleafy uncovered that the Trojan now also features ransomware capabilities.
First discovered in September 2021, SOVA is the Russian word for "owl" - a designation apparently chosen by the malware's creator, shows earlier research by Threat Fabric. The Trojan was announced in a known underground forum and had multiple capabilities even during its initial development stage.
Until March 2022, researchers at Cleafy identified multiple versions of the Trojan, with capabilities such as 2FA interception, cookie stealing and injections for new targets, including Philippine banks (see: New Android Trojan Targets Financial Institutions, Customers).
While investigating SOVA v4, researchers say they stumbled upon a possible SOVA v5.
During analysis of the malware's code, researchers observed a massive refactoring of SOVA v4's code, with the addition of new features and changes in the communications between the malware and the command-and-control server.
One of the feature they uncovered is a ransomware module. They observed that threat actors are trying to encrypt the files inside the infected devices using the AES algorithm and
"The ransomware feature is quite interesting as it's still not a common one in the Android banking Trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data," researchers say.
Cleafy researchers say threat actors behind the Trojan started hiding the Trojan with fake Android applications that were using the logo of Chrome, Amazon, NFT platform or others.
The SOVA v4 threat actors are able to obtain screenshots of the infected devices to retrieve more information from the victims and can record and obtain sensitive information.
When these features are combined with the accessibility services, researchers say, they enable threat actors to perform gestures and consequently fraudulent activities from the infected device.
"With SOVA v4, [threat actors] are able to manage multiple commands, such as: screen click, swipe, copy/paste and the capability to show an overlay screen to hide the screen to the victim," the researchers say.
They also observed that multiple log information is still sent back to the command-and-control server, as in the previous version, which indicates that the Trojan is still under the development process with its new features and capabilities.
But the latest use of its new VNC feature sets it apart from the previous versions. VNC is typically used for local computers and mobile devices you want to remotely control.
The updated Trojan also contains a refactored and improved cookie stealer mechanism, in which threat actors have specified a comprehensive list of Google services, such as Gmail, GPay and Google Password Manager, that they are interested in stealing and a list of other applications.
"For each of the stolen cookies, SOVA will also collect additional information such as 'is httpOnly,' its expiration date, etc.," the researchers say.
The other Trojan capabilities include the refactoring of its "protections" module that defends the Trojan against different victims' actions. Whenever a user attempts to uninstall the malware from the settings, the updated SOVA Trojan intercepts these actions and prevents them by abusing the accessibilities function and returning with a home screen popup showing that the app is secured.
"The capability itself isn't that sophisticated, but that they are doing it adds a new level of complexity and possible subverting of other security controls to enable the Trojan controller to bypass security barriers that are supposed to prevent compromise," says Chris Pritchard, an adversarial engineer at Colorado-based information security consulting firm Lares Consulting.
Pritchard says that the developers' quick response to development requests suggests that they will become more sophisticated.
"Suppose a mobile banking application prevents screenshots, for example, as a security control. In that case, it appears the Trojan authors will quickly make improvements to develop other methods of getting the information and detail they need to continue their goals," Pritchard says.
Researchers say that the latest Trojan version uses the
.apk to unpack a
.dex file that contains the real malicious functionalities, whereas, in the previous version, the
.dex file was stored inside the directory of the app, "while in the current version it uses a device's shared storage directory ('Android/obb/') to store it."
They also observed an entire new module for Binance exchange and Trust Wallet, the official crypto wallet for Binance.
"[Threat actors] aim to obtain different information, like the balance of the account, different actions performed by the victim inside the app and, finally, even the seed phrase (a collection of words) used to access the crypto wallet," researchers say.