Cyble Research Labs came across a blog post on the darkweb regarding an Android Banking Trojan named S.O.V.A during our routine threat hunting exercise. The post was made by an unknown Threat Actor (TA) as an advertisement on the XSS.is forum. The TA also mentions that the trojan is under development. Figure 1 shows the post by Threat Actor (TA) on the XSS.is forum.
According to the post, S.O.V.A. (“owl” in Russian) is a new Android banking trojan under active development. The TA has also mentioned that the trojan currently works on Android version 7 – 11. The TA plans to upgrade the bot to work on Android 12 as well.
The TA is planning incorporate Distributed Denial of Service (DDoS), Man in the Middle (MiTM) and ransomware functionalities into S.O.V.A. The features in the current version of S.O.V.A. malware are listed below:
- Standard data available in the device
- Send SMS
- Send inject PUSH
- Send a cookie PUSH
- Send U.S.S.D.
- Standard Injections
- 3-Stage Injections
- Cookie Injections (Session Grabber)
- Automatic Injections
- Credit Card Injections have a CC check for validity. The victim will not be able to enter incorrect data.
- Covert SMS Interception
- Covert PUSH Interception
- Delete Application
The TA is also planning to add the following features in future variants:
- Automatic 3-stage Injections
- Automatic Cookie Injections
- Complete Normal Clipper
- GIF Accessibility
- Improving Panel Performance
- Mini Ransomware with Card Insertion
- Interception of Internet packets (packet capture, “MITM”)
- Normal PUSH Notifications
- Many Injections
- Interception of 2FA
APK Metadata Information
APK File Info
- App Name: Flash Player
- Package Name: com.adobe.flashplayer
- SHA256 Hash: 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
The figure below shows the metadata information of the sample
The malware sample is disguising itself as Adobe Flash player as shown in the above figure,
Manifest File Description
The fake Flash Player app requests 21 different permissions, of which the T.A. can abuse 12. The dangerous permissions requested by the malware are listed below.
|READ_CONTACTS||Access to phone contacts|
|READ_EXTERNAL_STORAGE||Access device external storage|
|WRITE_EXTERNAL_STORAGE||Modify device external storage|
|READ_PHONE_STATE||Access phone state and information|
|RECORD_AUDIO||Allows to record audio using device microphone|
|CALL_PHONE||Perform call without user intervention|
|READ_CALL_LOG||Access user’s call logs|
|READ_SMS||Access user’s SMSs stored in the device|
|RECEIVE_MMS||Fetch and process M.M.S. messages|
|RECEIVE_SMS||Fetch and process SMS messages|
|SEND_SMS||Allows the app to send SMS messages|
|SYSTEM_ALERT_WINDOW||Allows to display system-alerts over other apps|
|WRITE_SMS||Modify or Delete SMSs stored in Database|
Table 1: APK Permission List
Upon inspecting the Android components declared in the manifest, we identified the activity class that is initiated on starting the app from the icon. The declaration of the activity is shown in Figure 3.
We also observed that the permissions, activity classes, and services declared in the manifest file allows the malware to replace the Messages app on the device. Upon receiving permission to act as the default messaging app, the S.O.V.A. trojan will be able to handle, send and receive SMS and M.M.S. messages from the infected device. Refer to Figure 4.
The S.O.V.A. malware has also declared permissions to handle device notifications in the Android manifest file. It abuses this capability to read and modify notifications received on the device. Upon enabling this, the banking trojan will be able to intercept all notifications such as OTPs, personal messages, etc. The permission declaration is shown in the figure below.
The figure below shows that the malware requests the user for the BIND_ACCESSIBILITY_PERMISSION. This permission allows apps to access a powerful service running on the Android device called Accessibility Service.
Accessibility Service is a background service running in the device which is used to aid users with disabilities. Malware such as Banking trojans, Remote Access Trojans (R.A.T.s) and Spyware abuse this service to intercept and monitor all activities happening on the device screen. Examples of this are the ability to intercept the credentials being entered on another app.
Initial Stage Behavior
The figure below shows the various activities performed by S.O.V.A. malware.
The three stages shown in Figure 7 are:
- Prior to launch, the malware does not have any permission : No Notification listener permission and no other dangerous permissions
- Once the victim starts the app, the malware requests the user to enable Accessibility permission: Upon enabling the Accessibility permission, the malware enables all the requested permissions, hides the icon from user’s home screen, requests the victim to make the fake Flash player as the default messaging app, and blocks the victim from accessing the malicious app’s Settings page. This is done to restrict the user from modifying the malware’s capabilities such as permissions.
Source Code Analysis
The S.O.V.A. malware has created a background service called, RequestService, which communicates with the Command and Control (C&C) server and performs malicious activities based on the commands received from the server as shown below.
The commands from the C&C server are:
|stealer||Steal Session Cookie of an app|
|hidensms||Hide received SMS from notification|
|starthidenpush||Hide push notifications|
|delbot||Delete the bot from device|
|getlog||Upload key logged data|
|startkeylog||Clears old key log and initiate|
|scaninject||Update targeted application list|
|openinject||Open WebView with the URL from C&C|
|stophidenpush||Stop hiding push notifications|
|sendpush||Display Push notification to start WebView Injection|
|stophidensms||Stop hiding received SMSs|
|stopscan||Stop scan for new app targets|
|stealerpush||Same as sendpush command|
|sendsms||Send SMS message|
Table 2: S.O.V.A. Malware Commands List
The S.O.V.A. malware creates listeners for events on the device, such as boot complete, SMS received, etc. The malware communicates with the C&C server whenever these listeners are triggered. The malware also sends the details of the event along with the data as shown in code in Figure 9.
S.O.V.A. malware constantly monitors the device screen for targeted applications. The targeted applications are stored in the packageList.txt file in the assets folder. The below figure shows the file with the list of targeted apps.
Whenever the user opens a target application, the malware creates an overlay using the WebView with the link provided by C&C server.
The targeted apps include banking apps, cryptocurrency apps etc. The TA can also add new apps to target based on their requirements.
The malware uses Accessibility to monitor the victim’s device screen. The code used by the malware to monitor the screen for targeted apps is shown in the figure below.
The below figure shows the code create overlay screen over the targeted application.
In the overlay screen, the victim will be displayed a fake login page of the targeted application. Upon login, the malware steals the cookies using the CookieManager and CookieSyncManager features, the code for which is shown in Figure 12. The trojan also has the capability to send SMS messages to the number provided by the C&C server. The code to send SMSs is shown in the below figure.
The trojan registers a service for monitoring the clipboard changes. The code used by the malware for clipboard monitoring is shown in figure 14.
The S.O.V.A. malware also has the capability to perform DDoS attacks on a specific public server which is provided as a command from C&C server. The target of the DDoS attacks is shared by the TA.
The malware hides the C&C server URL using Base64 encoding as shown in the below figure.
C&C Server URL: hxxp://a0545193.xsph[.]ru
The C&C endpoint methods used by the S.O.V.A. malware:
- /api – Main API endpoint method
- /keylog.php – Keylog stealing method
- /testpost.php – send stolen cookies
- /logpost.php – send logs
The below code shows the C&C endpoint methods used by the malware
We also observed that the malware author is planning include Telegram as C&C. This behavior is similar to the recent Banking Trojan called Aberebot. The code below shows the Telegram API URL included in the malware.
The targeted application list in assets/packageList.txt is shown below.
|Targeted Application List|
According to our research, there is a substantial increase in the amount of Android Banking Trojans emerging of late. We have also observed that the malware authors are incorporating new technology to steal information and money from victims. S.O.V.A. is the latest example of this shift in trends.
S.O.V.A. malware uses the same techniques used by other Android Banking Trojans such as Aberebot, Cerberus etc. Alongside being a Banking Trojan, the new trojan offers the capability to perform DDoS attacks, cookie stealing, hiding notifications etc,. The author has mentioned that they plan to incorporate other dangerous features such as ransomware.
These trojans can be avoided by following some basic cyber hygiene practices on mobile devices.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
- Use the shared IoCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Operating System and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406||Obfuscated Files or Information|
|Credential Access||T1414||Capture Clipboard Data|
|System Network Connections Discovery |
|Network Information Discovery |
Capture SMS Messages
Access Contact List
|Command and Control||T1571|
|Non-Standard Port |
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IoCs):
|8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57||SHA256||Hash of the APK sample|
|efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7||SHA256||Hash of the second APK sample|
|795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6||SHA256||Hash of the third APK sample|
|dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165||SHA256||Hash of the fourth APK sample|
|hxxp://l8j1nsk3j5h1msal973nk37[.]fun||URL||C&C URL of another sample|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.