# Deep-dive Analysis of S.O.V.A. Android Banking Trojan

**[blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/](https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/)**

September 14, 2021

Cyble Research Labs came across a blog post on the darkweb regarding an Android Banking Trojan
named S.O.V.A during our routine threat hunting exercise. The post was made by an unknown Threat Actor
(TA) as an advertisement on the XSS.is forum. The TA also mentions that the trojan is under
development. Figure 1 shows the post by Threat Actor (TA) on the XSS.is forum.

_Figure 1: Screenshot from S.O.V.A. blog in XSS.is forum_
According to the post, S.O.V.A. (“owl” in Russian) is a new Android banking trojan under active
development. The TA has also mentioned that the trojan currently works on Android version 7 – 11. The
TA plans to upgrade the bot to work on Android 12 as well.

The TA is planning incorporate Distributed Denial of Service (DDoS), Man in the Middle (MiTM) and
ransomware functionalities into S.O.V.A. The features in the current version of
S.O.V.A. malware are listed below:

1. Standard data available in the device

1. Send SMS

1. Send inject PUSH

1. Send a cookie PUSH

1. Send U.S.S.D.

1. Standard Injections

1. 3-Stage Injections


-----

1. Cookie Injections (Session Grabber)

1. Automatic Injections

1. Credit Card Injections have a CC check for validity. The victim will not be able to enter incorrect data.

1. Covert SMS Interception

1. Covert PUSH Interception

1. Keylogger

1. Delete Application

The TA is also planning to add the following features in future variants:

1. Automatic 3-stage Injections

1. Automatic Cookie Injections

1. Complete Normal Clipper

1. DDOS

1. GIF Accessibility

1. Improving Panel Performance

1. Mini Ransomware with Card Insertion

1. Interception of Internet packets (packet capture, “MITM”)

1. Normal PUSH Notifications

1. Many Injections

1. V.N.C.

1. Interception of 2FA

## Technical Analysis

### APK Metadata Information

**APK File Info**

App Name: Flash Player
Package Name: com.adobe.flashplayer

SHA256 Hash: 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

The figure below shows the metadata information of the sample


-----

_Figure 2: APK Metadata Information_
The malware sample is disguising itself as Adobe Flash player as shown in the above figure,

### Manifest File Description

The fake Flash Player app requests 21 different permissions, of which the T.A. can abuse 12. The
dangerous permissions requested by the malware are listed below.

**Permission Name** **Description**

**READ_CONTACTS** Access to phone contacts

**READ_EXTERNAL_STORAGE** Access device external storage

**WRITE_EXTERNAL_STORAGE** Modify device external storage

**READ_PHONE_STATE** Access phone state and information

**RECORD_AUDIO** Allows to record audio using device microphone

**CALL_PHONE** Perform call without user intervention

**READ_CALL_LOG** Access user’s call logs

**READ_SMS** Access user’s SMSs stored in the device

**RECEIVE_MMS** Fetch and process M.M.S. messages

**RECEIVE_SMS** Fetch and process SMS messages

**SEND_SMS** Allows the app to send SMS messages

**SYSTEM_ALERT_WINDOW** Allows to display system-alerts over other apps

**WRITE_SMS** Modify or Delete SMSs stored in Database

_Table 1: APK Permission List_

Upon inspecting the Android components declared in the manifest, we identified the activity class that
is initiated on starting the app from the icon. The declaration of the activity is shown in Figure 3.


-----

_Figure 3: Launcher activity declared in Manifest file_
We also observed that the permissions, activity classes, and services declared in the manifest file allows
the malware to replace the Messages app on the device. Upon receiving permission to act as the
default messaging app, the S.O.V.A. trojan will be able to handle, send and receive SMS and
M.M.S. messages from the infected device. Refer to Figure 4.

_Figure 4: Declaration of the permission, service, receiver for receiving SMSs and MMSs_
The S.O.V.A. malware has also declared permissions to handle device notifications in the Android manifest
file. It abuses this capability to read and modify notifications received on the device. Upon enabling this,
the banking trojan will be able to intercept all notifications such as OTPs, personal messages, etc.
The permission declaration is shown in the figure below.

_Figure 5: Manifest declaration for Notification listener_
The figure below shows that the malware requests
the user for the BIND_ACCESSIBILITY_PERMISSION. This permission allows apps to access a powerful
service running on the Android device called Accessibility Service.


-----

_Figure 6: Manifest declaration for BindAccessibility service_
**Accessibility Service is a background service running in the device which is used to aid users with**
[disabilities. Malware such as Banking trojans,](https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/) [Remote Access Trojans (R.A.T.s) and Spyware abuse this](https://blog.cyble.com/2021/07/28/a-deep-dive-analysis-of-a-fake-coronapp-targeting-android-users-from-colombia/)
service to intercept and monitor all activities happening on the device screen. Examples of this are the
ability to intercept the credentials being entered on another app.

### Initial Stage Behavior

The figure below shows the various activities performed by S.O.V.A. malware.

_Figure 7: Flow diagram of S.O.V.A. malware’s Initial Stage behavior_
The three stages shown in Figure 7 are:

1. Prior to launch, the malware does not have any permission : No Notification listener permission and

no other dangerous permissions

1. Once the victim starts the app, the malware requests the user to enable Accessibility permission:

Upon enabling the Accessibility permission, the malware enables all the requested permissions,
hides the icon from user’s home screen, requests the victim to make the fake Flash player as the
default messaging app, and blocks the victim from accessing the malicious app’s Settings page. This
is done to restrict the user from modifying the malware’s capabilities such as permissions.

### Source Code Analysis


-----

The S.O.V.A. malware has created a background service called, RequestService, which communicates
with the Command and Control (C&C) server and performs malicious activities based on the commands
received from the server as shown below.

_Figure 8: Code_

_where C&C commands are verified_
The commands from the C&C server are:

**Command** **Description**

startddos Initiate DDoS

stealer Steal Session Cookie of an app

hidensms Hide received SMS from notification

starthidenpush Hide push notifications

delbot Delete the bot from device

getlog Upload key logged data


-----

startkeylog Clears old key log and initiate

scaninject Update targeted application list

stopkeylog Stop keylogging

openinject Open WebView with the URL from C&C

stophidenpush Stop hiding push notifications

sendpush Display Push notification to start WebView Injection

stophidensms Stop hiding received SMSs

stopddos Stop DDoS

stopscan Stop scan for new app targets

stealerpush Same as sendpush command

sendsms Send SMS message

_Table 2: S.O.V.A. Malware Commands List_

The S.O.V.A. malware creates listeners for events on the device, such as boot complete, SMS received,
etc. The malware communicates with the C&C server whenever these listeners are triggered. The malware
also sends the details of the event along with the data as shown in code in Figure 9.

_Figure 9: Code to Upload data based on Events_
S.O.V.A. malware constantly monitors the device screen for targeted applications. The targeted
applications are stored in the packageList.txt file in the assets folder. The below figure shows the file with
the list of targeted apps.


-----

_Figure 10: Subset of Targeted App list in_

_packageList.txt_
Whenever the user opens a target application, the malware creates an overlay using the WebView with the
link provided by C&C server.

The targeted apps include banking apps, cryptocurrency apps etc. The TA can also add new apps to
target based on their requirements.

The malware uses Accessibility to monitor the victim’s device screen. The code used by the malware to
monitor the screen for targeted apps is shown in the figure below.


-----

_Figure 11: Code to monitor device screen and start the overlay_
The below figure shows the code create overlay screen over the targeted application.

_Figure 12: Code to create overlay using WebVIew and to steal the cookie_


-----

In the overlay screen, the victim will be displayed a fake login page of the targeted application. Upon login,
the malware steals the cookies using the CookieManager and CookieSyncManager features, the code
for which is shown in Figure 12. The trojan also has the capability to send SMS messages to the number
provided by the C&C server. The code to send SMSs is shown in the below figure.

_Figure 13: Code to send_

_SMS messages based on C&C command_
The trojan registers a service for monitoring the clipboard changes. The code used by the malware for
clipboard monitoring is shown in figure 14.

_Figure 14: Code to Capture Clipboard Contents_
The S.O.V.A. malware also has the capability to perform DDoS attacks on a specific public
server which is provided as a command from C&C server. The target of the DDoS attacks is shared by the
TA.

The malware hides the C&C server URL using Base64 encoding as shown in the below figure.

_Figure 15: C&C URL encoded using_

_Base64_
C&C Server URL: hxxp://a0545193.xsph[.]ru


-----

The C&C endpoint methods used by the S.O.V.A. malware:

/api – Main API endpoint method
/keylog.php – Keylog stealing method
/testpost.php – send stolen cookies

/logpost.php – send logs

The below code shows the C&C endpoint methods used by the malware

_Figure 16: Code with C&C Endpoint methods_
We also observed that the malware author is planning include Telegram
[as C&C. This behavior is similar to the recent Banking Trojan called Aberebot. The code below](https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/)
shows the Telegram API URL included in the malware.

_Figure 17: Telegram API URL in Malware’s code_

The targeted application list in assets/packageList.txt is shown below.

**Targeted Application List**

com.google.android.apps.authenticator2

com.bankaustria.android.olb

com.cibc.android.mobi

com.rbc.mobile.android

cz.airbank.android

com.kutxabank.android

es.lacaixa.mobile.android.newwapicon

com.mtel.androidbea

jp.co.aeonbank.android.passbook

com.barclays.ke.mobile.android.ui


-----

nz.co.anz.android.mobilebanking

alior.bankingapp.android

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

ru.rosbank.android

com.vkontakte.android

ru.taxovichkof.android

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

com.amazon.mShop.android.shopping

ru.alfabank.mobile.android

com.idamob.tinkoff.android

ru.vtb24.mobilebanking.android

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.android.apps.akbank_direkt_tablet_20

com.ykb.android

com.ykb.android.mobilonay

com.ykb.androidtablet

biz.mobinex.android.apps.cep_sifrematik

com.matriksmobile.android.ziraatTrader

de.comdirect.android

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.usaa.mobile.android.usaa

com.chase.sig.android


-----

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

com.rbs.mobile.android.ubr

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

au.com.ingdirect.android

com.cba.android.netbank

com.anz.android.gomoney

com.anz.android

de.fiducia.smartphone.android.banking.vr

it.volksbank.android

de.fiducia.smartphone.android.securego.vr

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

es.cm.android

es.cm.android.tablet

com.bestbuy.android

com.latuabancaperandroid

com.latuabanca_tabperandroid

it.copergmps.rt.pf.android.sp.bmps

com.ykb.android


-----

aib.ibank.android

com.jpm.sig.android

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

ru.alfabank.mobile.ua.android

ua.aval.dbo.client.android

ua.com.cs.ifobs.mobile.android.otp

ua.com.cs.ifobs.mobile.android.pivd

io.getdelta.android

com.coinbase.android

piuk.blockchain.android

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.citizensbank.androidapp

com.navyfederal.android

_Table 3: Targeted Application List_

## Conclusion

According to our research, there is a substantial increase in the amount of Android Banking
Trojans emerging of late. We have also observed that the malware authors are incorporating
new technology to steal information and money from victims. S.O.V.A. is the latest example of this shift in
trends.

S.O.V.A. malware uses the same techniques used by other Android Banking Trojans such as Aberebot,
Cerberus etc. Alongside being a Banking Trojan, the new trojan offers the capability to
perform DDoS attacks, cookie stealing, hiding notifications etc,. The author has mentioned that they plan
to incorporate other dangerous features such as ransomware.

These trojans can be avoided by following some basic cyber hygiene practices on mobile devices.

## Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against
attackers. We recommend that our readers follow the best practices given below:

1. If you find this malware in your device, uninstall using adb **uninstall or perform a factory reset.**


-----

1. Use the shared IoCs to monitor and block the malware infection.

1. Keep your anti-virus software updated to detect and remove malicious software.

1. Keep your Operating System and applications updated to the latest versions.

1. Use strong passwords and enable two-factor authentication.

1. Download and install software only from registered app stores.

## MITRE ATT&CK® Techniques

**Tactic** **Technique ID** **Technique Name**

Defense Evasion [T1406](https://attack.mitre.org/techniques/T1406) Obfuscated Files or Information

Credential Access [T1414](https://attack.mitre.org/techniques/T1414/) Capture Clipboard Data


Discovery [T1421](https://attack.mitre.org/techniques/T1421)

[T1430](https://attack.mitre.org/techniques/T1421%22%20%EF%BF%BDHYPERLINK%20%22https://attack.mitre.org/techniques/T1430)

[T1424](https://attack.mitre.org/techniques/T1424)

Collection [T1507](https://attack.mitre.org/techniques/T1507)

[T1412](https://attack.mitre.org/techniques/T1412/)

[T1432](https://attack.mitre.org/techniques/T1432/)

[T1429](https://attack.mitre.org/techniques/T1429)

Command and Control [T1571](https://attack.mitre.org/techniques/T1571)

[T1573](https://attack.mitre.org/techniques/T1573)


System Network Connections Discovery

Location Tracking

Process Discovery

Network Information Discovery

Capture SMS Messages

Access Contact List

Capture Audio

Non-Standard Port

Encrypted Channel


Impact [T1447](https://attack.mitre.org/techniques/T1447) Delete Device Data

## Indicators of Compromise (IoCs): 

**Indicators** **Indicator**
**type**


**Description**


8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57 SHA256 Hash of the
APK sample

efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7 SHA256 Hash of the
second APK
sample

795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6 SHA256 Hash of the
third APK
sample

dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165 SHA256 Hash of
the fourth APK
sample

hxxp://a0545193.xsph[.]ru URL C&C URL


-----

hxxp://l8j1nsk3j5h1msal973nk37[.]fun URL C&C URL of
another
sample

## About Us

[Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/)
cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time
visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has
also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a
global presence. To learn more about Cyble, visit [www.cyble.com.](https://cyble.com/)


-----