S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]

ID: S1062
Platforms: Android
Version: 1.0
Created: 06 February 2023
Last Modified: 13 April 2023

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

S.O.V.A. can silently intercept and manipulate notifications. S.O.V.A. can also inject cookies via push notifications.[1]

Mobile T1638 Adversary-in-the-Middle

S.O.V.A. has included adversary-in-the-middle capabilities.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

S.O.V.A. can use the open-source project RetroFit for C2 communication.[1]

Mobile T1471 Data Encrypted for Impact

S.O.V.A. has code to encrypt device data with AES.[2]

Mobile T1641 .001 Data Manipulation: Transmitted Data Manipulation

S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

S.O.V.A. can hide its application icon.[1]

Mobile T1629 .001 Impair Defenses: Prevent Application Removal

S.O.V.A. can resist removal by going to the home screen during uninstall.[1]

Mobile T1630 .001 Indicator Removal on Host: Uninstall Malicious Application

S.O.V.A. can uninstall itself.[1]

Mobile T1417 .001 Input Capture: Keylogging

S.O.V.A. can use keylogging to capture user input.[1]

.002 Input Capture: GUI Input Capture

S.O.V.A. can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.[1]

Mobile T1516 Input Injection

S.O.V.A. can programmatically tap the screen or swipe.[2]

Mobile T1464 Network Denial of Service

S.O.V.A. has C2 commands to add an infected device to a DDoS pool.[1]

Mobile T1406 .002 Obfuscated Files or Information: Software Packing

S.O.V.A. has been distributed in obfuscated and packed form.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

S.O.V.A. can intercept and read SMS messages.[1]

Mobile T1513 Screen Capture

S.O.V.A. can take screenshots and abuse the Android Screen Cast feature to capture screen data.[2]

Mobile T1582 SMS Control

S.O.V.A. can send SMS messages.[1]

Mobile T1418 Software Discovery

S.O.V.A. can search for installed applications that match a list of targets.[2]

Mobile T1409 Stored Application Data

S.O.V.A. can gather session cookies from infected devices. S.O.V.A. can also abuse Accessibility Services to steal Google Authenticator tokens.[1][2]

Mobile T1426 System Information Discovery

S.O.V.A. can gather data about the device.[1]