The Android banking Trojan SOVA has resurfaced with new and improved features, according to a recent advisory from Cleafy’s security researchers. Originally detected in September 2021, SOVA has been continuously evolving, with the latest version, SOVA v4, targeting over 200 mobile applications, including banking apps and crypto exchanges like Binance.
One of the most notable additions to SOVA v4 is its Virtual Network Computing (VNC) capability, a feature that was part of the malware’s roadmap since 2021. This demonstrates that threat actors are constantly updating the Trojan with new functionalities. In addition to VNC, SOVA v4 can now capture screenshots, record gestures, and execute multiple commands on infected devices.
The cookie-stealing mechanism in SOVA v4 has also been enhanced to target specific Google services and other applications. Moreover, the malware can now prevent users from uninstalling it by intercepting uninstallation attempts.
Cleafy’s advisory also mentions the discovery of a new variant, SOVA v5, which has undergone code refactoring and introduces ransomware capabilities. This feature is particularly noteworthy as ransomware is not commonly found in Android banking trojans. With mobile devices becoming the primary storage for personal and business data, the addition of ransomware functionality in SOVA v5 poses a significant threat to users.
Overall, the continuous development and adaptation of the SOVA Trojan highlight the evolving nature of mobile banking malware. Users are advised to stay vigilant and ensure their devices are protected with up-to-date security measures to mitigate the risk of falling victim to such threats.