A new Android banking trojan named SOVA (“owl” in Russian) is under active development, researchers observed, & it has big plans even in its early stage.
The malware is hoping to incorporate distributed denial of service (DDoS), man in the middle (MiTM) & ransomware functionality into its toolkit – in addition to existing banking overlay, notification manipulation & keylogging services.
The malware appeared in Aug. with an ambitious roadmap (think ransomware, DDoS) that could make it ‘the most feature-rich Android malware on the market.’
According to researchers from Threat Fabric, the malware’s authors are ‘shooting for the moon.’
“This malware is still in its infancy [1st appearing in Aug., now only on version 2] & it is undergoing a testing phase…prospecting serious & worrying plans for the near future,” they stated in a Fri. analysis, noting that the malware’s roadmap is laid out in underground forum posts advertising its availability for testing.
“SOVA is…taking a page out of traditional desktop malware,” they added. “Including DDoS, man in the middle & ransomware to its arsenal could mean incredible damage to end users, in addition to the already very dangerous threat that overlay & keylogging attacks serve.”
The malware authors’ coding & development choices also speak to SOVA’s sophistication, the analysis showed.
“Regarding the development, SOVA also stands out for being fully developed in Kotlin, a coding language supported by Android & thought by many to be the future of Android development,” according to Threat Fabric.
“If the author’s promises on future features are kept, SOVA could potentially be the most complete & advanced Android bot to be fully developed in Kotlin to this day.”
SOVA meanwhile relies on the legitimate open-source project known as RetroFit for its communication with the command-&-control (C2) server.
“Retrofit is a type-safe REST client for Android, Java & Kotlin developed by Square,” researchers commented. “The library provides a powerful framework for authenticating & interacting with APIs and sending network requests with OkHttp.”
Banking Trojan Features
SOVA is 1st a banking trojan, & its authors are applying innovation to this portion of its development too, researchers noted. E.g., SOVA doesn’t withhold the more traditional banking front of overlay attacks.
Overlay attacks are a common tactic used by banking trojans, in which the malware replaces the screen that users see when they log into mobile banking with a copycat screen – thus taking any credentials the victim puts in.
In SOVA’s case, the targets that it’s capable of imitating include banking applications, cryptocurrency wallets & shopping applications that require credit-card access to operate.
“According to the authors, there are already multiple overlays available for different banking institutions from the US & Spain, but they offer the possibility of creating more in case of necessity from the buyer,” researchers noted. Also, version 2 contains functionality to target users of some Russian banks – drawing irritation from other forum users, Threat Fabric reported.
To better gather the victim’s credentials & other personally identifiable information (PII), SOVA is ‘banking’ on Android’s Accessibility Services – also a traditional function.
“When it is started for the 1st time, the malware hides its app icon & abuses the Accessibility Services to obtain all the necessary permissions to operate properly,” researchers explained.
Some of those permissions allow it to intercept for SMS messages & notifications for instance, to better hide from the victim & on the roadmap is also the ability to circumvent 2-factor authentication.
SOVA already has 1 highly unusual banking-trojan feature that stands out for Android malware, states the analysis: The ability to steal session cookies, which allows the malware to ‘piggyback’ on valid logged-in banking sessions, thus circumventing the need to have banking credentials to access victim’s accounts.
“Cookies are a vital part of web functionality, which allow users to maintain open sessions on their browsers without having to re-input their credentials repeatedly,” researchers noted.
“SOVA will create a WebView to open a legitimate web URL for the target application & steal the cookies once the victim successfully logs in…it is capable of stealing session cookies from major websites like Gmail or PayPal with ease.”
In the newer version of SOVA, the cybercrooks also added the option to create a list of applications for which to monitor for cookies automatically.
Another feature that version 2 offers is clipboard manipulation, i.e., the ability to alter the data in the system clipboard in an effort to steal cryptocurrency, Threat Fabric explained.
“The bot sets up an event listener, designed to notify the malware whenever some new data is saved in the clipboard,” researchers stated. “If the string of data is potentially a cryptocurrency wallet address, S.O.V.A. substitutes it with a valid address for the corresponding cryptocurrency.”
The supported cryptocurrencies thus far are Binance, Bitcoin, Ethereum & TRON.
Still ahead on the roadmap, SOVA’s authors said that they will soon add “automatic 3-stage overlay injections.”
“It is not clear what the 3 stages imply, but it could mean more advances & realistic process, maybe implying download of additional software to the device,” researchers noted.
The authors of the malware clearly have lots of ambitions regarding SOVA’s future, & it does have the potential to become a dangerous threat for the Android ecosystem, researchers have concluded.
“The 2nd set of features, added in the future developments, are very advanced & would push SOVA into a different realm for Android banking malware,” they explained.
“If the authors adhere to the roadmap, it will also be able to feature…DDoS capabilities, ransomware & advanced overlay attacks. These features would make SOVA the most feature-rich Android malware on the market and could become the ‘new norm’ for Android banking trojans targeting financial institutions.”
Perhaps, SOVA could be following TrickBot, a multiplatform malware that began life as a banking trojan before moving on to other types of cyber-attacks & becoming one of the most popular & pervasive trojans used by bad players across the globe. It now specialises in acting as a 1st-stage infection, delivering a range of follow-on ransomware & other malware.
TrickBot’s authors lately instituted some code changes that could indicate that TrickBot is getting back into the bank-fraud game – specifically adding a man-in-the-browser (MitB) capability for stealing online banking credentials that derives from Zeus, the early banking trojan — potentially signalling a coming deluge of fraud attacks.