Account Takeover Fraud, Endpoint Security, Fraud Management and Cybercrime
Trojan Targets Over 200 Mobile Banking Apps
Prajeet Nair (@prajeetspeaks) •
August 13, 2022
An updated version of the Russia-linked SOVA Android Trojan is back with updated attack techniques targeting over 200 mobile apps, including banking apps and crypto exchanges/wallets. Researchers from Cleafy discovered that the Trojan now also has ransomware functionality.
See also: Webinar | Prevent, Detect and Restore: Data Security Backup Systems Made Simple
First discovered in September 2021, SOVA is the Russian word for “owl” – a designation apparently chosen by the creator of the malware, shows previous research by Threat Fabric. The Trojan was advertised in a known underground forum and had multiple capabilities even during its initial development phase.
As of March 2022, Cleafy researchers have identified multiple versions of the Trojan, with capabilities such as 2FA interception, cookie theft, and injections for new targets, including Philippine banks.
While investigating SOVA v4, researchers say they came across a possible SOVA v5.
While analyzing the malware code, the researchers observed a massive refactoring of the SOVA V4 code, with the addition of new features and changes in the communications between the malware and the command and control server.
Although there are several changes, the most interesting feature they discovered is the presence of a ransomware module. They observed that threat actors try to encrypt files inside infected devices using AES algorithm and using “.enc” extension.
“The ransomware feature is quite interesting as it is still not common in the Android banking Trojan landscape. most people central storage of personal and work data,” the researchers said. say.
Cleafy researchers observed that the threat actors behind the Trojan started hiding the Trojan with fake Android apps that used the logo of Chrome, Amazon, NFT platform or others.
SOVA v4 threat actors are able to obtain screenshots of infected devices to retrieve more information about victims and are able to record and obtain sensitive information.
Features like these, when combined with Accessibility Services, researchers say, allow threat actors to perform gestures and, therefore, fraudulent activities from the infected device.
“With SOVA v4, [Threat actors] are capable of handling several commands, such as: clicking on the screen, swiping, copy/paste and the possibility of displaying an overlay screen to hide the screen from the victim”, explain the researchers.
They also observe that several log information is still returned to command and control like in its previous version, indicating that the Trojan is still under development with new features and capabilities. But the latest use of its new VNC feature sets it apart from previous versions. VNC is typically used for local computers and mobile devices that you want to control remotely.
Additionally, the updated Trojan also contains a refactored and improved cookie-stealing mechanism, where hackers have specified a comprehensive list of Google services such as Gmail, GPay and Google Password Manager that they wish to steal and a list other apps.
“For each of the stolen cookies, SOVA will also collect additional information such as ‘is httpOnly’, its expiration date, etc.,” the researchers explain.
Other features of the Trojan include the refactoring of its “guards” module which defends the Trojan against the actions of various victims. Whenever a user tries to uninstall the malware from settings, the updated SOVA Trojan intercepts such actions and prevents them by abusing the accessibility feature and comes back with a pop-up on the user’s screen. home indicating that the application is secure.
“The capability itself isn’t that sophisticated, but the fact that they do it adds a new level of complexity and possible subversion of other security controls to allow the Trojan controller to bypass security barriers. designed to prevent compromise,” says Chris Pritchard, an adversarial engineer at Colorado-based information security consulting firm LARES Consulting.
Pritchard says developers responding quickly to development requests suggests they will become more sophisticated.
“Suppose a mobile banking application prevents screenshots, for example, as a security check. In this case, it seems that Trojan authors will quickly make improvements to develop other methods to obtain the information and details they need to pursue their goals,” says Pritchard. .
The researchers say that the latest version of the Trojan uses the .apk to decompress a .dex file which contains the real malicious features, whereas in the previous version the .dex file was stored in the application directory, “whereas in the current version it uses a device’s shared storage directory (“android/obb/”) to store it.”
They also observe a brand new module for the Binance exchange and the Trust Wallet, Binance’s official crypto wallet.
“[Threat Actors] aim to obtain different information, such as the account balance, different actions performed by the victim in the app and, finally, even the seed phrase (a collection of words) used to access the crypto wallet,” the researchers explain.