The Android banking Trojan SOVA is back and sporting updated capabilities — with an additional version in development that contains a ransomware module.

Researchers at Cleafy, which documented the resurgence of SOVA, say that version 4 appears to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Spain appears to be the country most targeted by the malware, followed by the Philippines and the US.

The SOVA v4 malware is hidden within fake Android applications disguised by the logos of popular apps including Chrome and Amazon. The latest version includes a refactored and improved cookie-stealer mechanism, which can now specify a list of targeted Google services and other applications. In addition, the update allows the malware to protect itself by intercepting and deflecting attempts made by victims to uninstall the app.

Also in the latest versions of SOVA, attackers can control the specific targets via the command-and- control (C2) interface. This increases the adaptability of the malware to a large variety of attack scenarios.

In addition, it has capabilities that allow attackers to grab screenshots, and to record and execute commands. This enables an attacker to look for ways to laterally move around to other systems or applications that might be more lucrative.

"The most interesting part is related to the [virtual network computing] capability," the report notes. "This feature has been in the SOVA roadmap since September 2021 and that is strong evidence that [threat actors] are constantly updating the malware with new features and capabilities."

Ransomware on the Horizon

The Cleafy team also found evidence that suggested that an additional version of the malware, version 5, is in development and will include a ransomware module that had previously been announced in a September 2021 development roadmap.

"The ransomware feature is quite interesting as it’s still not a common one in the Android banking-trojan landscape," Cleafy researchers note. "It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data."

Cory Cline, senior cyber security consultant at nVisium, says that adding ransomware capabilities to a banking Trojan offers plenty of upside to cybercriminals.

"No longer do they need to steal your personal data to get access to your financial information," he explains. "With ransomware capabilities, attackers can now encrypt affected devices."

He adds that with more and more people storing nearly every aspect of their lives on their mobile devices, attackers will be able to more easily find targets willing to pay to get access to their data returned.

"The team behind SOVA has demonstrated a new level of sophistication," he says. "The feature set is fairly unique to the Android banking Trojan scene, and SOVA is one of the most feature-rich Android banking Trojans available."

However, he points out that the team behind SOVA has opted to implement RetroFit for C2 as opposed to writing its own solution.

"This could speak to some limitations in the development team," Cline says.

Banking Trojans Get Boost From Added Capabilities

Other banking Trojans have also resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by joint international task force in January 2021.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says that improving and evolving existing Android banking Trojans has many advantages.

"The significant improvements to SOVA v4 and SOVA v5 show that attackers can simply expand existing features such as the cookies stealer, which now includes more payment services and applications to exploit," he points out. "New modules such as those targeting cryptowallets demonstrate that attackers see cryptocurrencies as a lucrative target."

He explains that adding ransomware capabilities can have multiple advantages for attackers, such as destroying evidence. That makes it difficult for digital forensics to discover any traces or attribution of the attacker, and gives the attacker an additional option to get paid when stealing credentials or cookies is not successful.

"As new Internet services specifically in the financial industry get adopted," Carson says, "attackers will need to keep updating banking Trojans with new modules just like any other software company to stay compatible with newer technologies."