A new Android trojan appeared in August and caught researchers’ attention with its bold roadmap (think ransomware, DDoS).
Experts say it could become ‘the most feature-rich Android malware on the market.’
The Most Complete And Advanced Android Trojan Ever?
Researchers recently spotted SOVA (Russian for “owl”), an Android banking trojan under active development. Even in this early stage, the malware is looking to enrich its arsenal with distributed denial of service (DDoS), man in the middle (MiTM), and ransomware functionality – in addition to existing banking overlay, notification manipulation and keylogging services.
According to ThreatFabric researchers, the new malware’s developers have really big ambitions.
“This malware is still in its infancy [first appearing in August, now only on version 2] and it is undergoing a testing phase…prospecting serious and worrying plans for the near future,” they reported in a Friday analysis, indicating that the malware’s roadmap is laid out in underground forum posts advertising its availability for testing.
“SOVA is…taking a page out of traditional desktop malware,” they added. “Including DDoS, man in the middle and ransomware to its arsenal could mean incredible damage to end users, in addition to the already very dangerous threat that overlay and keylogging attacks serve.”
The analysis indicated that the authors’ choices regarding coding and development also add to the new banking trojan’s complexity.
“Regarding the development, SOVA also stands out for being fully developed in Kotlin, a coding language supported by Android and thought by many to be the future of Android development,” according to ThreatFabric experts. “If the author’s promises on future features are kept, SOVA could potentially be the most complete and advanced Android bot to be fully developed in Kotlin to this day.”
SOVA currently relies on RetroFit, a legitimate open-source project, to communicate with the C2 (command-and-control) server.
“Retrofit is a type-safe REST client for Android, Java and Kotlin developed by Square,” researchers said. “The library provides a powerful framework for authenticating and interacting with APIs and sending network requests with OkHttp.”
What Makes The New Banking Trojan Stand Out?
SOVA is, at its core, a banking trojan. While many functionalities are being added, its authors aren’t neglecting this part of its development either. For example, SOVA doesn’t back away from the more ‘traditional’ overlay attacks.
Overlay attacks are a widespread practice for banking trojans. In this type of attacks, the malware replaces the screen users see when they log into mobile banking apps with an identical but fake screen, stealing the victim’s credentials.
SOVA is capable of imitating cryptocurrency wallets, shopping and banking apps that require credit-card info to operate.
“According to the authors, there are already multiple overlays available for different banking institutions from the U.S. and Spain, but they offer the possibility of creating more in case of necessity from the buyer,” researchers noted. Also, version 2 features functionality to target users of some Russian banks – drawing ire from other forum users, according to ThreatFabric.
To make collecting sensitive information easier, SOVA exploits Android’s Accessibility Services.
“When it is started for the first time, the malware hides its app icon and abuses the Accessibility Services to obtain all the necessary permissions to operate properly,” researchers explained. Some of those permissions allow the banking trojan to read SMS messages and notifications, to better hide from the victim – and on the roadmap is also the ability to circumvent two-factor authentication.
What really makes SOVA stand out is one very uncommon feature: the ability to steal session cookies and piggyback on valid logged-in banking sessions, thus not needing to actually steal banking credentials at all to get access to a victim’s account.
“Cookies are a vital part of web functionality, which allow users to maintain open sessions on their browsers without having to re-input their credentials repeatedly,” researchers noted. “SOVA will create a WebView to open a legitimate web URL for the target application and steal the cookies once the victim successfully logs in…it is capable of stealing session cookies from major websites like Gmail or PayPal with ease.”
In the latest build of the Android trojan, its developers added the option to create a list of apps for which to track cookies automatically. Another feature of this version is clipboard manipulation.
“The bot sets up an event listener, designed to notify the malware whenever some new data is saved in the clipboard,” researchers said. “If the string of data is potentially a cryptocurrency wallet address, S.O.V.A. substitutes it with a valid address for the corresponding cryptocurrency.”
So far, the supported cryptocurrencies are Bitcoin, Binance, Ethereum, and TRON. SOVA’s authors also announced that they would add “automatic three-stage overlay injections.”
“It is not clear what the three stages imply, but it could mean more advances and realistic process, maybe implying download of additional software to the device,” researchers said.
SOVA – A Dangerously Well-Thought-Out Development Roadmap
If its authors succeed in everything they have planned for the Android trojan, SOVA does indeed have the potential to become a serious threat to the Android ecosystem, according to ThreatFabric experts.
“The second set of features, added in the future developments, are very advanced and would push SOVA into a different realm for Android banking malware,” they said. “If the authors adhere to the roadmap, it will also be able to feature…DDoS capabilities, ransomware and advanced overlay attacks. These features would make SOVA the most feature-rich Android malware on the market and could become the ‘new norm’ for Android banking trojans targeting financial institutions.”
In some aspects, SOVA could walk the path of TrickBot, a multiplatform malware that started out as a banking trojan. It then moved on to other types of cyberattacks and became a very popular trojan used worldwide. It now acts as a first-stage infection, delivering ransomware and other malware.
TrickBot’s developers recently applied some code modifications, which could indicate that the malware is returning to its origin – the bank-fraud game – specifically adding a man-in-the-browser (MitB) feature for stealing online banking credentials.