{
	"id": "c807750b-68d2-4c06-96f3-e9935b14d2a8",
	"created_at": "2026-04-06T00:21:49.390769Z",
	"updated_at": "2026-04-10T13:12:49.837839Z",
	"deleted_at": null,
	"sha1_hash": "aa546f948f988c47256802c42aa1396a0cea9fdd",
	"title": "SOVA malware is back and is evolving rapidly",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10634004,
	"plain_text": "SOVA malware is back and is evolving rapidly\r\nBy Francesco Iubatti, Federico Valentini\r\nArchived: 2026-04-05 12:45:59 UTC\r\nIntroduction\r\nIn September 2021, SOVA, a new Android Banking Trojan, was announced in a known underground forum. Even\r\nthough at that time the author claimed the malware was still under development, it actually already had multiple\r\ncapabilities and was basically almost in the go-to market phase.\r\nFurthermore, the authors of SOVA showed a roadmap with the future update of the malware as shown in Figure 1.\r\nFigure 1 – Roadmap of SOVA (September 2021)\r\nUntil March 2022, multiple versions of SOVA were found and some of these features were already implemented,\r\nsuch as: 2FA interception, cookie stealing and injections for new targets and countries (e.g. multiple Philippine\r\nbanks).\r\nIn July 2022, we discovered a new version of SOVA (v4) which presents new capabilities and seems to be\r\ntargeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets.\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 1 of 10\n\nFigure 2 – Main countries targeted by SOVA v4\r\nUpdates - SOVA v4\r\nStarting from May 2022, Threat Actors (TAs) behind SOVA have started to deliver a new version of their\r\nmalware, hiding within fake Android applications that show up with the logo of a few famous ones, like Chrome,\r\nAmazon, NFT platform or others.\r\nFigure 3 – Main icons used by SOVA v4\r\nDifferently from the previous versions, this time several new codes were added. The most interesting part is\r\nrelated to the VNC capability. As shown in Figure 1, this feature has been in the SOVA roadmap since September\r\n2021 and that is one strong evidence that TAs are constantly updating the malware with new features and\r\ncapabilities.\r\nStarting from SOVA v4, TAs can obtain screenshots of the infected devices, to retrieve more information from the\r\nvictims. Furthermore, the malware is also able to record and obtain any sensitive information, as shown in Figure\r\n5. These features, combined with Accessibility services, enable TAs to perform gestures and, consequently,\r\nfraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g.\r\nOscorp or BRATA).\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 2 of 10\n\nWith SOVA v4, TAs are able to manage multiple commands, such as: screen click, swipe, copy/paste and the\r\ncapability to show an overlay screen to hide the screen to the victim. However, it was observed that multiple logs\r\ninformation are still sent back to the C2. This behavior is a strong indicator that SOVA is still going through a\r\ndevelopment process, while TAs are rolling out new features and capabilities.\r\nFigure 4 – Code comparison between SOVA v3 and v4\r\nFigure 5 – Casting/Recording feature of SOVA v4\r\nMoreover, in SOVA v4, the cookie stealer mechanism was refactored and improved. In particular, TAs specified a\r\ncomprehensive list of Google services that they are interested to steal (e.g. Gmail, GPay, and Google Password\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 3 of 10\n\nManager), plus a list of other applications. For each of the stolen cookies, SOVA will also collect additional\r\ninformation such as “is httpOnly”, its expiration date, etc.\r\nFigure 6 – Refactoring and improvement of the cookie stealer mechanism in SOVA v4\r\nAnother interesting update about SOVA v4 is the refactoring of its “protections” module, which aims to protect\r\nitself from different victim’s actions. For example, if the user tries to uninstall the malware from the settings or\r\npressing the icon, SOVA is able to intercept these actions and prevent them (through the abuse of the\r\nAccessibilities) by returning to the home screen and showing a toast (small popup) displaying “This app is\r\nsecured”.\r\nFigure 7 – “Protections” code comparison between SOVA v3 and v4\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 4 of 10\n\nA peculiarity of SOVA v4 is the “core” relocation of the malware. Like the main Android banking trojan, SOVA\r\nuses the .apk just to unpack a .dex file which contains the real malicious functionalities of the malware. In the\r\nprevious version, SOVA stored the .dex file inside the directory of the app, while in the current version it uses a\r\ndevice's shared storage directory (“Android/obb/”) to store it.\r\nLastly, in SOVA v4, an entire new module was dedicated to Binance exchange and the Trust Wallet (official\r\ncrypto wallet of Binance). For both applications, TAs aim to obtain different information, like the balance of the\r\naccount, different actions performed by the victim inside the app and, finally, even the seed phrase (a collection of\r\nwords) used to access the crypto wallet.\r\nC2 communications and panel\r\nThe communications between SOVA v4 and the C2 didn’t change compared to the previous version (v3), except\r\nfor the new command (vncinfo) used for its new VNC feature. Meanwhile, also the C2 panel of SOVA was\r\nupdated compared to the first version published by the author in September 2021, with some new features and a\r\ncomplete UI restyle (as shown in Figure 8).\r\nFigure 8 – Comparison between SOVA C2 panels\r\nFigure 9 – Comparison between SOVA configuration files\r\nNew Targets\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 5 of 10\n\nThe first version of SOVA had almost 90 targeted applications (including banks, crypto wallet/exchange, and\r\ngeneric shopping apps), initially listed and stored in the packageList.txt file within the assets/ folder. In the latest\r\nsamples, this file has been removed and the targeted applications are managed through the communications\r\nbetween the malware and the C2.\r\nThe number of targeted applications has grown faster, compared to the initial phases of SOVA: during March 2022\r\nmultiple Philippine banks have been added and then during May 2022, another list of banking applications has\r\nbeen added too, as shown in the following Figure 10.\r\nFigure 10 – Comparison between SOVA targets, from September 2021 to July 2022\r\nTo obtain the list of targeted applications, SOVA sends the list of all applications installed on the device to the C2,\r\nright after it has been installed. At this point, the C2 sends back to the malware the list of addresses for each\r\ntargeted application and stores this information inside an XML file.\r\nFigure 11 – Example of communication between SOVA v4 and the C2 server\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 6 of 10\n\nFigure 12 – Example of fake page used to steal credentials and credit card information\r\nAnother interesting fact is that, in some of the analyzed samples of SOVA v4, the list of CIS region used in the\r\nprevious versions (used to exclude these countries from attacks) was removed and, at the time of writing, all the\r\ninitial Russian and Ukraine targeted apps were removed.\r\nFigure 13 – List of CIS region remove in one of the sample of SOVA v4\r\nFurther updates - SOVA v5\r\nDuring the reviewing of the document on SOVA v4, we spotted on our threat intelligence platform (Cleafy ASK)\r\nmultiple samples that seem to belong to a further variant of SOVA (v5); we want to provide you with an overview\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 7 of 10\n\nof this variant too.\r\nAnalyzing the code of the malware, it is possible to observe a big refactoring of the code, the addition of new\r\nfeatures and some small changes in the communications between the malware and the C2 server. Furthermore, the\r\nsamples of SOVA v5 that we analyzed don’t present the VNC module that we observed in SOVA v4: our\r\nhypothesis is that it was simply not integrated in the v5version yet. In fact, the malware seems to be still under\r\ndevelopment, due to the presence of multiple logs used for debugging.\r\nFigure 14 – List of commands of SOVA v5\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 8 of 10\n\nAlthough there are several changes, the most interesting features added in SOVA v5 is the ransomware module,\r\nthat was announced in the roadmap of September 2021.\r\nHowever, even though this feature has been already implemented in the current version (v5), at the time of writing\r\nit seems to be still under development.\r\nThe aim of TAs is to encrypt the files inside the infected devices through an AES algorithm and renaming them\r\nwith the extension “.enc”.\r\nThe ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans\r\nlandscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most\r\npeople the central storage for personal and business data.\r\nFigure 15 – Ransomware module of SOVA v5\r\nConclusions\r\nWith the discovery of SOVA v4 and SOVA v5, we uncovered new evidence about how TAs are constantly\r\nimproving their malware and the C2 panel, honouring the published roadmap.\r\nAlthough the malware is still under development, it’s ready to carry on fraudulent activities at scale.\r\nAppendix 1: IOCs\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 9 of 10\n\nIoC Description\r\n0533968891354ac78b45c486600a7890 SOVA v4\r\nca559118f4605b0316a13b8cfa321f65 SOVA v4 without CIS regions\r\nsocrersutagans.]site C2 of SOVA v4\r\nomainwpatnlfq.]site Server used to display fake website of targeted app\r\n74b8956dc35fd8a5eb2f7a5d313e60ca SOVA v5\r\nsatandemantenimiento.com C2 of SOVA v5\r\nhttp://wecrvtbyutrcewwretyntrverfd.xyz C2 of SOVA v5\r\nSource: https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nhttps://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly\r\nPage 10 of 10\n\nAccessibilities) secured”. by returning to the home screen and showing a toast (small popup) displaying “This app is\nFigure 7-“Protections” code comparison between SOVA v3 and v4\n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"
	],
	"report_names": [
		"sova-malware-is-back-and-is-evolving-rapidly"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa546f948f988c47256802c42aa1396a0cea9fdd.pdf",
		"text": "https://archive.orkl.eu/aa546f948f988c47256802c42aa1396a0cea9fdd.txt",
		"img": "https://archive.orkl.eu/aa546f948f988c47256802c42aa1396a0cea9fdd.jpg"
	}
}