roughly SOVA Android Banking Trojan emerges extra highly effective with new capabilities will cowl the most recent and most present suggestion in relation to the world. entrance slowly suitably you comprehend skillfully and appropriately. will addition your data proficiently and reliably

SOVA is an Android banking Trojan with vital capabilities like stealing credentials, capturing keystrokes, taking screenshots, and so on., which may inflict critical harm on units that fall sufferer to this malware . This malware has been on the market on the underground market since final yr and is suspected to have been bought by some criminals to gather essential info from unsuspecting customers. His creators gave him the identify Sova in an underground discussion board.

Since final yr, SOVA has been focusing on Russian and Philippine banks. Since its inception, now we have seen its three variations the place it had 2FA interception, cookie stealing, and injection capabilities. These variations can steal session credentials and cookies by overlay assaults, keylogging, notification hiding, and clipboard manipulation to insert modified cryptocurrency pockets addresses.

SOVA relies on the Retrofit open supply undertaking for its communication with the C2 server.

Within the newest model that now we have seen just lately, SOVA malware appears to have developed with some new options:-

  • You may click on on the display, swipe and replica/paste remotely by instructions, i.e. the most recent model has VNC (Digital Community Computing) functionality.
  • Ransomware capabilities to encrypt recordsdata.
  • Potential to show an overlay display in different purposes.
  • Contact a C2 server to filter an inventory of put in purposes.
  • It targets crypto wallets just like the Binance trade and Belief Pockets.
  • Steal cookies and keylogging.
  • Intercepts multi-factor authentication (MFA) tokens.

This newest model of SOVA mimics the Amazon and Google Chrome icons to trick customers into downloading. At launch time, it asks for accessibility permission and forces the consumer to permit it.

Fig.1 Malware app house display

SOVA model IOC with Fast Heal detections:

SOVA model MD5 detection identify
V1 (2021) 03f51334546586d0b56ee81d3df9fd7a Android.ScytheSCF.QJ
V2 (2021) 1698651d6b8fd95574f62b046b4f68e5 Android.Agent.GEN45035
V3 (2021) b1101bb941285fc54a21c271ee7bf60e Android.Agent.A65a4
V4 (2022) 0533968891354ac78b45c486600a7890 Android.Agent.GEN50857
V4 (2022) ca559118f4605b0316a13b8cfa321f65 Android.Agent.Ad536
V5 (2022) 74b8956dc35fd8a5eb2f7a5d313e60ca Android.HqwarSCF.EH

Fast Heal customers are already protected in opposition to such threats, together with the SOVA variations talked about above.

Fig.2 Fast Heal Detecting malware purposes


  • Obtain apps solely from trusted sources like Google Play Retailer.
  • Don’t click on on any hyperlinks acquired by messages or different social media platforms, as they might deliberately or inadvertently level you to malicious websites.
  • Please learn the pop-up messages you obtain from the Android system earlier than accepting/permitting new permissions.
  • Malware authors spoof the names, icons, and developer names of the unique apps. Subsequently, be very cautious concerning the purposes you obtain in your cellphone.
  • All the time use a great antivirus like “Fast Heal Cell Safety for Android” for higher cellphone safety. A dependable antivirus will mitigate all such threats and defend you from downloading malicious apps in your cell gadget.


As illustrated above, banking malware makes use of new strategies to lure customers by legit utility icons. These Trojans may cause a variety of harm to contaminated units and are offered on underground markets. They have a tendency to unfold by smishing and phishing assaults. Customers needs to be conscious and never obtain and set up purposes from untrustworthy sources.


Mane Digvijay

akshay singla

Mane Digvijay

Mane Digvijay