{
	"id": "fb8d8167-5141-42c1-b379-76be361a7d13",
	"created_at": "2026-04-06T00:19:00.253482Z",
	"updated_at": "2026-04-10T13:12:21.663523Z",
	"deleted_at": null,
	"sha1_hash": "b5425463ace064f6271a7531a6747c6d7c0de1cf",
	"title": "Cyble - Deep-dive Analysis Of S.O.V.A. Android Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2216971,
	"plain_text": "Cyble - Deep-dive Analysis Of S.O.V.A. Android Banking Trojan\r\nPublished: 2021-09-14 · Archived: 2026-04-05 17:22:35 UTC\r\nCyble's research on S.O.V.A, an Android Banking Trojan that is under active development by a threat actor who\r\nplans on incorporating DDoS, MiTM, and ransomware functionalities into it.\r\nCyble Research Labs came across a blog post on the darkweb regarding an Android Banking Trojan named S.O.V.A\r\nduring our routine threat hunting exercise. The post was made by an unknown Threat Actor (TA) as an\r\nadvertisement on the XSS.is forum. The TA also mentions that the trojan is under development. Figure 1 shows the\r\npost by Threat Actor (TA) on the XSS.is forum. \r\nFigure 1: Screenshot from S.O.V.A. blog in XSS.is forum \r\nAccording to the post, S.O.V.A. (“owl” in Russian) is a new Android banking trojan under active development. The\r\nTA has also mentioned that the trojan currently works on Android version 7 – 11. The TA plans to upgrade the bot to\r\nwork on Android 12 as well. \r\nThe TA is planning incorporate Distributed Denial of Service (DDoS), Man in the Middle (MiTM) and\r\nransomware functionalities into S.O.V.A. The features in the current version of S.O.V.A. malware are listed below: \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 1 of 17\n\n1. Standard data available in the device  \r\n2. Send SMS  \r\n3. Send inject PUSH  \r\n4. Send a cookie PUSH  \r\n5. Send U.S.S.D.  \r\n6. Standard Injections  \r\n7. 3-Stage Injections  \r\n8. Cookie Injections (Session Grabber)  \r\n9. Automatic Injections  \r\n10. Credit Card Injections have a CC check for validity. The victim will not be able to enter incorrect data.  \r\n11. Covert SMS Interception  \r\n12. Covert PUSH Interception  \r\n13. Keylogger  \r\n14. Delete Application  \r\nThe TA is also planning to add the following features in future variants:  \r\n1. Automatic 3-stage Injections  \r\n2. Automatic Cookie Injections  \r\n3. Complete Normal Clipper  \r\n4. DDOS  \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 2 of 17\n\n5. GIF Accessibility  \r\n6. Improving Panel Performance  \r\n7. Mini Ransomware with Card Insertion  \r\n8. Interception of Internet packets (packet capture, “MITM”)  \r\n9. Normal PUSH Notifications  \r\n10. Many Injections  \r\n11. V.N.C.  \r\n12. Interception of 2FA  \r\nTechnical Analysis \r\nAPK Metadata Information \r\nAPK File Info \r\nApp Name: Flash Player \r\nPackage Name: com.adobe.flashplayer \r\nSHA256 Hash: 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57 \r\nThe figure below shows the metadata information of the sample \r\nFigure 2: APK Metadata Information\r\nThe malware sample is disguising itself as Adobe Flash player as shown in the above figure, \r\nManifest File Description \r\nThe fake Flash Player app requests 21 different permissions, of which the T.A. can abuse 12. The dangerous\r\npermissions requested by the malware are listed below. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 3 of 17\n\nPermission Name  Description \r\nREAD_CONTACTS  Access to phone contacts  \r\nREAD_EXTERNAL_STORAGE  Access device external storage \r\nWRITE_EXTERNAL_STORAGE  Modify device external storage \r\nREAD_PHONE_STATE   Access phone state and information  \r\nRECORD_AUDIO  Allows to record audio using device microphone \r\nCALL_PHONE  Perform call without user intervention \r\nREAD_CALL_LOG  Access user’s call logs \r\nREAD_SMS  Access user’s SMSs stored in the device \r\nRECEIVE_MMS  Fetch and process M.M.S. messages \r\nRECEIVE_SMS  Fetch and process SMS messages \r\nSEND_SMS  Allows the app to send SMS messages \r\nSYSTEM_ALERT_WINDOW  Allows to display system-alerts over other apps \r\nWRITE_SMS  Modify or Delete SMSs stored in Database \r\nTable 1: APK Permission List \r\nUpon inspecting the Android components declared in the manifest, we identified the activity class that\r\nis initiated on starting the app from the icon. The declaration of the activity is shown in Figure 3. \r\nFigure 3: Launcher activity declared in Manifest file\r\nWe also observed that the permissions, activity classes, and services declared in the manifest file allows the malware\r\nto replace the Messages app on the device. Upon receiving permission to act as the default messaging app, the\r\nS.O.V.A. trojan will be able to handle, send and receive SMS and M.M.S. messages from the infected device. Refer\r\nto Figure 4. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 4 of 17\n\nFigure 4: Declaration of the permission, service, receiver for receiving SMSs and MMSs \r\nThe S.O.V.A. malware has also declared permissions to handle device notifications in the Android manifest\r\nfile. It abuses this capability to read and modify notifications received on the device. Upon enabling this, the banking\r\ntrojan will be able to intercept all notifications such as OTPs, personal messages, etc. The permission declaration is\r\nshown in the figure below. \r\nFigure 5: Manifest declaration for Notification listener\r\nThe figure below shows that the malware requests\r\nthe user for the BIND_ACCESSIBILITY_PERMISSION. This permission allows apps to access a powerful\r\nservice running on the Android device called Accessibility Service.  \r\nFigure 6: Manifest declaration for BindAccessibility service \r\nAccessibility Service is a background service running in the device which is used to aid users with disabilities.\r\nMalware such as Banking trojans, Remote Access Trojans (R.A.T.s) and Spyware abuse this service to intercept and\r\nmonitor all activities happening on the device screen. Examples of this are the ability to intercept the credentials\r\nbeing entered on another app. \r\nInitial Stage Behavior \r\nThe figure below shows the various activities performed by S.O.V.A. malware. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 5 of 17\n\nFigure 7: Flow diagram of S.O.V.A. malware’s Initial Stage behavior \r\nThe three stages shown in Figure 7 are: \r\n1. Prior to launch, the malware does not have any permission : No Notification listener permission and no other\r\ndangerous permissions \r\n2. Once the victim starts the app, the malware requests the user to enable Accessibility permission: Upon\r\nenabling the Accessibility permission, the malware enables all the requested permissions, hides the icon from\r\nuser’s home screen, requests the victim to make the fake Flash player as the default messaging app, and\r\nblocks the victim from accessing the malicious app’s Settings page. This is done to restrict the\r\nuser from modifying the malware’s capabilities such as permissions. \r\nSource Code Analysis \r\nThe S.O.V.A. malware has created a background service called, RequestService, which communicates with\r\nthe Command and Control (C\u0026C) server and performs malicious activities based on the commands received from the\r\nserver as shown below. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 6 of 17\n\nFigure 8: Code where C\u0026C commands are verified\r\nThe commands from the C\u0026C server are: \r\nCommand  Description \r\nstartddos  Initiate DDoS  \r\nstealer  Steal Session Cookie of an app  \r\nhidensms  Hide received SMS from notification \r\nstarthidenpush  Hide push notifications \r\ndelbot  Delete the bot from device \r\ngetlog  Upload key logged data \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 7 of 17\n\nstartkeylog  Clears old key log and initiate \r\nscaninject  Update targeted application list \r\nstopkeylog  Stop keylogging \r\nopeninject  Open WebView with the URL from C\u0026C \r\nstophidenpush  Stop hiding push notifications \r\nsendpush  Display Push notification to start WebView Injection \r\nstophidensms  Stop hiding received SMSs \r\nstopddos  Stop DDoS  \r\nstopscan  Stop scan for new app targets \r\nstealerpush  Same as sendpush command \r\nsendsms  Send SMS message \r\nTable 2: S.O.V.A. Malware Commands List \r\nThe S.O.V.A. malware creates listeners for events on the device, such as boot complete, SMS received, etc. The\r\nmalware communicates with the C\u0026C server whenever these listeners are triggered. The malware also sends the\r\ndetails of the event along with the data as shown in code in Figure 9.  \r\nFigure 9: Code to Upload data based on Events \r\nS.O.V.A. malware constantly monitors the device screen for targeted applications. The targeted applications are\r\nstored in the packageList.txt file in the assets folder. The below figure shows the file with the list of targeted apps. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 8 of 17\n\nFigure 10: Subset of Targeted App list in packageList.txt \r\nWhenever the user opens a target application, the malware creates an overlay using the WebView with the link\r\nprovided by C\u0026C server.  \r\nThe targeted apps include banking apps, cryptocurrency apps etc. The TA can also add new apps to target based on\r\ntheir requirements. \r\nThe malware uses Accessibility to monitor the victim’s device screen. The code used by the malware to\r\nmonitor the screen for targeted apps is shown in the figure below. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 9 of 17\n\nFigure 11: Code to monitor device screen and start the overlay \r\nThe below figure shows the code create overlay screen over the targeted application.  \r\nFigure 12: Code to create overlay using WebVIew and to steal the cookie \r\nIn the overlay screen, the victim will be displayed a fake login page of the targeted application. Upon login, the\r\nmalware steals the cookies using the CookieManager and CookieSyncManager features, the code for which\r\nis shown in Figure 12. The trojan also has the capability to send SMS messages to the number provided by\r\nthe C\u0026C server. The code to send SMSs is shown in the below figure. \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 10 of 17\n\nFigure 13: Code to send SMS messages based on C\u0026C command \r\nThe trojan registers a service for monitoring the clipboard changes. The code used by the malware for clipboard\r\nmonitoring is shown in figure 14. \r\nFigure 14: Code to Capture Clipboard Contents \r\nThe S.O.V.A. malware also has the capability to perform DDoS attacks on a specific public server which is provided\r\nas a command from C\u0026C server. The target of the DDoS attacks is shared by the TA.   \r\nThe malware hides the C\u0026C server URL using Base64 encoding as shown in the below figure. \r\nFigure 15: C\u0026C URL encoded using Base64 \r\nC\u0026C Server URL: hxxp://a0545193.xsph[.]ru \r\nThe C\u0026C endpoint methods used by the S.O.V.A. malware: \r\n/api – Main API endpoint method \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 11 of 17\n\n/keylog.php – Keylog stealing method \r\n/testpost.php – send stolen cookies \r\n/logpost.php – send logs \r\nThe below code shows the C\u0026C endpoint methods used by the malware \r\nFigure 16: Code with C\u0026C Endpoint methods \r\nWe also observed that the malware author is planning include Telegram\r\nas C\u0026C. This behavior is similar to the recent Banking Trojan called Aberebot. The code below shows the Telegram\r\nAPI URL included in the malware. \r\nFigure 17: Telegram API URL in Malware’s code\r\nThe targeted application list in assets/packageList.txt is shown below.  \r\nTargeted Application List \r\ncom.google.android.apps.authenticator2 \r\ncom.bankaustria.android.olb \r\ncom.cibc.android.mobi \r\ncom.rbc.mobile.android \r\ncz.airbank.android \r\ncom.kutxabank.android \r\nes.lacaixa.mobile.android.newwapicon \r\ncom.mtel.androidbea \r\njp.co.aeonbank.android.passbook \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 12 of 17\n\ncom.barclays.ke.mobile.android.ui \r\nnz.co.anz.android.mobilebanking \r\nalior.bankingapp.android \r\nwit.android.bcpBankingApp.millenniumPL \r\ncom.idamobile.android.hcb \r\nru.rosbank.android \r\ncom.vkontakte.android \r\nru.taxovichkof.android \r\nhr.asseco.android.jimba.mUCI.ro \r\nmay.maybank.android \r\ncom.amazon.mShop.android.shopping \r\nru.alfabank.mobile.android \r\ncom.idamob.tinkoff.android \r\nru.vtb24.mobilebanking.android \r\ncom.akbank.android.apps.akbank_direkt \r\ncom.akbank.android.apps.akbank_direkt_tablet \r\ncom.akbank.android.apps.akbank_direkt_tablet_20 \r\ncom.ykb.android \r\ncom.ykb.android.mobilonay \r\ncom.ykb.androidtablet \r\nbiz.mobinex.android.apps.cep_sifrematik \r\ncom.matriksmobile.android.ziraatTrader \r\nde.comdirect.android \r\nde.fiducia.smartphone.android.banking.vr \r\nfr.creditagricole.androidapp \r\ncom.boursorama.android.clients \r\ncom.caisseepargne.android.mobilebanking \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 13 of 17\n\nfr.lcl.android.customerarea \r\ncom.paypal.android.p2pmobile \r\ncom.usaa.mobile.android.usaa \r\ncom.chase.sig.android \r\ncom.grppl.android.shell.BOS \r\ncom.rbs.mobile.android.natwestoffshore \r\ncom.rbs.mobile.android.natwest \r\ncom.rbs.mobile.android.natwestbandc \r\ncom.rbs.mobile.android.rbs \r\ncom.rbs.mobile.android.rbsbandc \r\ncom.rbs.mobile.android.ubr \r\ncom.grppl.android.shell.halifax \r\ncom.grppl.android.shell.CMBlloydsTSB73 \r\ncom.barclays.android.barclaysmobilebanking \r\ncom.unionbank.ecommerce.mobile.android \r\nau.com.ingdirect.android \r\ncom.cba.android.netbank \r\ncom.anz.android.gomoney \r\ncom.anz.android \r\nde.fiducia.smartphone.android.banking.vr \r\nit.volksbank.android \r\nde.fiducia.smartphone.android.securego.vr \r\ncom.starfinanz.smob.android.sfinanzstatus \r\ncom.starfinanz.mobile.android.pushtan \r\ncom.starfinanz.smob.android.sfinanzstatus.tablet \r\ncom.starfinanz.smob.android.sbanking \r\ncom.palatine.android.mobilebanking.prod \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 14 of 17\n\nes.cm.android \r\nes.cm.android.tablet \r\ncom.bestbuy.android \r\ncom.latuabancaperandroid \r\ncom.latuabanca_tabperandroid \r\nit.copergmps.rt.pf.android.sp.bmps \r\ncom.ykb.android \r\naib.ibank.android \r\ncom.jpm.sig.android \r\npinacleMobileiPhoneApp.android \r\ncom.fuib.android.spot.online \r\ncom.ukrsibbank.client.android \r\nru.alfabank.mobile.ua.android \r\nua.aval.dbo.client.android \r\nua.com.cs.ifobs.mobile.android.otp \r\nua.com.cs.ifobs.mobile.android.pivd \r\nio.getdelta.android \r\ncom.coinbase.android \r\npiuk.blockchain.android \r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE \r\ncom.thunkable.android.manirana54.LocalBitCoins \r\ncom.thunkable.android.manirana54.LocalBitCoins_unblock \r\ncom.citizensbank.androidapp \r\ncom.navyfederal.android \r\nTable 3: Targeted Application List \r\nConclusion \r\nAccording to our research, there is a substantial increase in the amount of Android Banking Trojans emerging of late.\r\nWe have also observed that the malware authors are incorporating new technology to steal information and money\r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 15 of 17\n\nfrom victims. S.O.V.A. is the latest example of this shift in trends.  \r\nS.O.V.A. malware uses the same techniques used by other Android Banking Trojans such as Aberebot,\r\nCerberus etc. Alongside being a Banking Trojan, the new trojan offers the capability to perform DDoS attacks,\r\ncookie stealing, hiding notifications etc,. The author has mentioned that they plan\r\nto incorporate other dangerous features such as ransomware. \r\nThese trojans can be avoided by following some basic cyber hygiene practices on mobile devices. \r\nOur Recommendations   \r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against attackers.\r\nWe recommend that our readers follow the best practices given below:     \r\n1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset. \r\n2. Use the shared IoCs to monitor and block the malware infection.   \r\n3. Keep your anti-virus software updated to detect and remove malicious software.   \r\n4. Keep your Operating System and applications updated to the latest versions.   \r\n5. Use strong passwords and enable two-factor authentication.   \r\n6. Download and install software only from registered app stores.   \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique ID   Technique Name \r\nDefense Evasion  T1406  Obfuscated Files or Information \r\nCredential Access  T1414  Capture Clipboard Data \r\n Discovery \r\nT1421\r\nT1430\r\nT1424 \r\nSystem Network Connections Discovery \r\nLocation Tracking \r\nProcess Discovery \r\n Collection \r\nT1507\r\nT1412\r\nT1432\r\nT1429 \r\nNetwork Information Discovery \r\nCapture SMS Messages \r\nAccess Contact List \r\nCapture Audio \r\nCommand and Control \r\nT1571\r\nT1573 \r\nNon-Standard Port \r\nEncrypted Channel \r\nImpact  T1447  Delete Device Data \r\nIndicators of Compromise (IoCs):   \r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 16 of 17\n\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57  SHA256 \r\nHash of the\r\nAPK sample \r\nefb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7  SHA256 \r\nHash of the\r\nsecond APK\r\nsample \r\n795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6  SHA256 \r\nHash of the\r\nthird APK\r\nsample \r\ndd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165  SHA256 \r\nHash of\r\nthe fourth APK\r\nsample \r\nhxxp://a0545193.xsph[.]ru  URL  C\u0026C URL \r\nhxxp://l8j1nsk3j5h1msal973nk37[.]fun  URL \r\nC\u0026C URL of\r\nanother\r\nsample \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nhttps://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/"
	],
	"report_names": [
		"deep-dive-analysis-of-s-o-v-a-android-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5425463ace064f6271a7531a6747c6d7c0de1cf.pdf",
		"text": "https://archive.orkl.eu/b5425463ace064f6271a7531a6747c6d7c0de1cf.txt",
		"img": "https://archive.orkl.eu/b5425463ace064f6271a7531a6747c6d7c0de1cf.jpg"
	}
}