Security News > 2021 > September > SOVA: New Android Banking Trojan Emerges With Growing Capabilities
A mix of banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain are the target of a newly discovered Android trojan that could enable attackers to siphon personally identifiable information from infected devices, including banking credentials and open the door for on-device fraud.
Dubbed S.O.V.A., the current version of the banking malware comes with myriad features to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate on-device fraud through VNC, carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes.
Overlay attacks typically involve the theft of confidential user information using malware that overlays its own windows on top of another program.
"The second set of features, added in the future developments, are very advanced and would push S.O.V.A. into a different realm for Android malware, making it potentially one of the most advanced bots in circulation, combining banking malware with automation and botnet capabilities," ThreatFabric said in a report shared with The Hacker News.
Although the malware is believed to be in its nascent stages of development, S.O.V.A.'s developers have been advertising the product on hacking forums, looking to recruit testers to trial the malware on a large number of devices and its bot capabilities.
"Not redistribution of Cerberus/Anubis, the bot is written from scratch," the forum post read. "[S.O.V.A.] is still a project in its infancy, and now provides the same basic features as most other modern Android banking malware," the researchers said.