S.O.V.A. Android Trojan

S.O.V.A. Android Trojan Description

A new threatening Android Trojan has emerged on underground hacker forums, where its creators are advertising the threat, as well as looking for testers. Despite still being in development, the threat named S.O.V.A. already possesses a wide range of threatening capabilities that it can perform on the breached devices. If the features planned to be included in future versions go live, S.O.V.A. might become the most sophisticated and versatile threat of this type, so far, by combining automation, banking malware and botnet capabilities.

The current version of the S.O.V.A. is designed to target multiple popular applications (banking and shopping applications, as well as crypto-wallet programs). The attackers can then start harvesting personally identifiable information, as well as payment and banking details. The threat is capable of log keystrokes, collect credentials and session cookies via overlay techniques, modify the clipboard by injecting a specific crypto-wallet address to reroute funds and hide system notifications.

However, the second group of features set to be added at a later date will vastly expand S.O.V.A.'s potential to cause damage. The creators plan to add a DDoS functionality, a ransomware dropper code, and a routine to intercept 2FA (two-factor authentication) codes. Virtual Network Computing (VNC) also could be exploited, allowing the attackers to perform on-device fraud activities. 

According to data released by ThreatFabric, the cybersecurity firm that discovered the threat, S.O.V.A. has been targeting users from multiple different countries across several continents, with the U.S. and the UK having the most detections, followed by Russia, Germany and Turkey.