Cyble - Deep-dive Analysis Of S.O.V.A. Android Banking Trojan
Published: 2021-09-14 · Archived: 2026-04-05 17:22:35 UTC
Cyble's research on S.O.V.A, an Android Banking Trojan that is under active development by a threat actor who
plans on incorporating DDoS, MiTM, and ransomware functionalities into it.
Cyble Research Labs came across a blog post on the darkweb regarding an Android Banking Trojan named S.O.V.A
during our routine threat hunting exercise. The post was made by an unknown Threat Actor (TA) as an
advertisement on the XSS.is forum. The TA also mentions that the trojan is under development. Figure 1 shows the
post by Threat Actor (TA) on the XSS.is forum. 
Figure 1: Screenshot from S.O.V.A. blog in XSS.is forum 
According to the post, S.O.V.A. (“owl” in Russian) is a new Android banking trojan under active development. The
TA has also mentioned that the trojan currently works on Android version 7 – 11. The TA plans to upgrade the bot to
work on Android 12 as well. 
The TA is planning incorporate Distributed Denial of Service (DDoS), Man in the Middle (MiTM) and
ransomware functionalities into S.O.V.A. The features in the current version of S.O.V.A. malware are listed below: 
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 1 of 17

1. Standard data available in the device  
2. Send SMS  
3. Send inject PUSH  
4. Send a cookie PUSH  
5. Send U.S.S.D.  
6. Standard Injections  
7. 3-Stage Injections  
8. Cookie Injections (Session Grabber)  
9. Automatic Injections  
10. Credit Card Injections have a CC check for validity. The victim will not be able to enter incorrect data.  
11. Covert SMS Interception  
12. Covert PUSH Interception  
13. Keylogger  
14. Delete Application  
The TA is also planning to add the following features in future variants:  
1. Automatic 3-stage Injections  
2. Automatic Cookie Injections  
3. Complete Normal Clipper  
4. DDOS  
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 2 of 17

5. GIF Accessibility  
6. Improving Panel Performance  
7. Mini Ransomware with Card Insertion  
8. Interception of Internet packets (packet capture, “MITM”)  
9. Normal PUSH Notifications  
10. Many Injections  
11. V.N.C.  
12. Interception of 2FA  
Technical Analysis 
APK Metadata Information 
APK File Info 
App Name: Flash Player 
Package Name: com.adobe.flashplayer 
SHA256 Hash: 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57 
The figure below shows the metadata information of the sample 
Figure 2: APK Metadata Information
The malware sample is disguising itself as Adobe Flash player as shown in the above figure, 
Manifest File Description 
The fake Flash Player app requests 21 different permissions, of which the T.A. can abuse 12. The dangerous
permissions requested by the malware are listed below. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 3 of 17

Permission Name  Description 
READ_CONTACTS  Access to phone contacts  
READ_EXTERNAL_STORAGE  Access device external storage 
WRITE_EXTERNAL_STORAGE  Modify device external storage 
READ_PHONE_STATE   Access phone state and information  
RECORD_AUDIO  Allows to record audio using device microphone 
CALL_PHONE  Perform call without user intervention 
READ_CALL_LOG  Access user’s call logs 
READ_SMS  Access user’s SMSs stored in the device 
RECEIVE_MMS  Fetch and process M.M.S. messages 
RECEIVE_SMS  Fetch and process SMS messages 
SEND_SMS  Allows the app to send SMS messages 
SYSTEM_ALERT_WINDOW  Allows to display system-alerts over other apps 
WRITE_SMS  Modify or Delete SMSs stored in Database 
Table 1: APK Permission List 
Upon inspecting the Android components declared in the manifest, we identified the activity class that
is initiated on starting the app from the icon. The declaration of the activity is shown in Figure 3. 
Figure 3: Launcher activity declared in Manifest file
We also observed that the permissions, activity classes, and services declared in the manifest file allows the malware
to replace the Messages app on the device. Upon receiving permission to act as the default messaging app, the
S.O.V.A. trojan will be able to handle, send and receive SMS and M.M.S. messages from the infected device. Refer
to Figure 4. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 4 of 17

Figure 4: Declaration of the permission, service, receiver for receiving SMSs and MMSs 
The S.O.V.A. malware has also declared permissions to handle device notifications in the Android manifest
file. It abuses this capability to read and modify notifications received on the device. Upon enabling this, the banking
trojan will be able to intercept all notifications such as OTPs, personal messages, etc. The permission declaration is
shown in the figure below. 
Figure 5: Manifest declaration for Notification listener
The figure below shows that the malware requests
the user for the BIND_ACCESSIBILITY_PERMISSION. This permission allows apps to access a powerful
service running on the Android device called Accessibility Service.  
Figure 6: Manifest declaration for BindAccessibility service 
Accessibility Service is a background service running in the device which is used to aid users with disabilities.
Malware such as Banking trojans, Remote Access Trojans (R.A.T.s) and Spyware abuse this service to intercept and
monitor all activities happening on the device screen. Examples of this are the ability to intercept the credentials
being entered on another app. 
Initial Stage Behavior 
The figure below shows the various activities performed by S.O.V.A. malware. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 5 of 17

Figure 7: Flow diagram of S.O.V.A. malware’s Initial Stage behavior 
The three stages shown in Figure 7 are: 
1. Prior to launch, the malware does not have any permission : No Notification listener permission and no other
dangerous permissions 
2. Once the victim starts the app, the malware requests the user to enable Accessibility permission: Upon
enabling the Accessibility permission, the malware enables all the requested permissions, hides the icon from
user’s home screen, requests the victim to make the fake Flash player as the default messaging app, and
blocks the victim from accessing the malicious app’s Settings page. This is done to restrict the
user from modifying the malware’s capabilities such as permissions. 
Source Code Analysis 
The S.O.V.A. malware has created a background service called, RequestService, which communicates with
the Command and Control (C&C) server and performs malicious activities based on the commands received from the
server as shown below. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 6 of 17

Figure 8: Code where C&C commands are verified
The commands from the C&C server are: 
Command  Description 
startddos  Initiate DDoS  
stealer  Steal Session Cookie of an app  
hidensms  Hide received SMS from notification 
starthidenpush  Hide push notifications 
delbot  Delete the bot from device 
getlog  Upload key logged data 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 7 of 17

startkeylog  Clears old key log and initiate 
scaninject  Update targeted application list 
stopkeylog  Stop keylogging 
openinject  Open WebView with the URL from C&C 
stophidenpush  Stop hiding push notifications 
sendpush  Display Push notification to start WebView Injection 
stophidensms  Stop hiding received SMSs 
stopddos  Stop DDoS  
stopscan  Stop scan for new app targets 
stealerpush  Same as sendpush command 
sendsms  Send SMS message 
Table 2: S.O.V.A. Malware Commands List 
The S.O.V.A. malware creates listeners for events on the device, such as boot complete, SMS received, etc. The
malware communicates with the C&C server whenever these listeners are triggered. The malware also sends the
details of the event along with the data as shown in code in Figure 9.  
Figure 9: Code to Upload data based on Events 
S.O.V.A. malware constantly monitors the device screen for targeted applications. The targeted applications are
stored in the packageList.txt file in the assets folder. The below figure shows the file with the list of targeted apps. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 8 of 17

Figure 10: Subset of Targeted App list in packageList.txt 
Whenever the user opens a target application, the malware creates an overlay using the WebView with the link
provided by C&C server.  
The targeted apps include banking apps, cryptocurrency apps etc. The TA can also add new apps to target based on
their requirements. 
The malware uses Accessibility to monitor the victim’s device screen. The code used by the malware to
monitor the screen for targeted apps is shown in the figure below. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 9 of 17

Figure 11: Code to monitor device screen and start the overlay 
The below figure shows the code create overlay screen over the targeted application.  
Figure 12: Code to create overlay using WebVIew and to steal the cookie 
In the overlay screen, the victim will be displayed a fake login page of the targeted application. Upon login, the
malware steals the cookies using the CookieManager and CookieSyncManager features, the code for which
is shown in Figure 12. The trojan also has the capability to send SMS messages to the number provided by
the C&C server. The code to send SMSs is shown in the below figure. 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 10 of 17

Figure 13: Code to send SMS messages based on C&C command 
The trojan registers a service for monitoring the clipboard changes. The code used by the malware for clipboard
monitoring is shown in figure 14. 
Figure 14: Code to Capture Clipboard Contents 
The S.O.V.A. malware also has the capability to perform DDoS attacks on a specific public server which is provided
as a command from C&C server. The target of the DDoS attacks is shared by the TA.   
The malware hides the C&C server URL using Base64 encoding as shown in the below figure. 
Figure 15: C&C URL encoded using Base64 
C&C Server URL: hxxp://a0545193.xsph[.]ru 
The C&C endpoint methods used by the S.O.V.A. malware: 
/api – Main API endpoint method 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 11 of 17

/keylog.php – Keylog stealing method 
/testpost.php – send stolen cookies 
/logpost.php – send logs 
The below code shows the C&C endpoint methods used by the malware 
Figure 16: Code with C&C Endpoint methods 
We also observed that the malware author is planning include Telegram
as C&C. This behavior is similar to the recent Banking Trojan called Aberebot. The code below shows the Telegram
API URL included in the malware. 
Figure 17: Telegram API URL in Malware’s code
The targeted application list in assets/packageList.txt is shown below.  
Targeted Application List 
com.google.android.apps.authenticator2 
com.bankaustria.android.olb 
com.cibc.android.mobi 
com.rbc.mobile.android 
cz.airbank.android 
com.kutxabank.android 
es.lacaixa.mobile.android.newwapicon 
com.mtel.androidbea 
jp.co.aeonbank.android.passbook 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 12 of 17

com.barclays.ke.mobile.android.ui 
nz.co.anz.android.mobilebanking 
alior.bankingapp.android 
wit.android.bcpBankingApp.millenniumPL 
com.idamobile.android.hcb 
ru.rosbank.android 
com.vkontakte.android 
ru.taxovichkof.android 
hr.asseco.android.jimba.mUCI.ro 
may.maybank.android 
com.amazon.mShop.android.shopping 
ru.alfabank.mobile.android 
com.idamob.tinkoff.android 
ru.vtb24.mobilebanking.android 
com.akbank.android.apps.akbank_direkt 
com.akbank.android.apps.akbank_direkt_tablet 
com.akbank.android.apps.akbank_direkt_tablet_20 
com.ykb.android 
com.ykb.android.mobilonay 
com.ykb.androidtablet 
biz.mobinex.android.apps.cep_sifrematik 
com.matriksmobile.android.ziraatTrader 
de.comdirect.android 
de.fiducia.smartphone.android.banking.vr 
fr.creditagricole.androidapp 
com.boursorama.android.clients 
com.caisseepargne.android.mobilebanking 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 13 of 17

fr.lcl.android.customerarea 
com.paypal.android.p2pmobile 
com.usaa.mobile.android.usaa 
com.chase.sig.android 
com.grppl.android.shell.BOS 
com.rbs.mobile.android.natwestoffshore 
com.rbs.mobile.android.natwest 
com.rbs.mobile.android.natwestbandc 
com.rbs.mobile.android.rbs 
com.rbs.mobile.android.rbsbandc 
com.rbs.mobile.android.ubr 
com.grppl.android.shell.halifax 
com.grppl.android.shell.CMBlloydsTSB73 
com.barclays.android.barclaysmobilebanking 
com.unionbank.ecommerce.mobile.android 
au.com.ingdirect.android 
com.cba.android.netbank 
com.anz.android.gomoney 
com.anz.android 
de.fiducia.smartphone.android.banking.vr 
it.volksbank.android 
de.fiducia.smartphone.android.securego.vr 
com.starfinanz.smob.android.sfinanzstatus 
com.starfinanz.mobile.android.pushtan 
com.starfinanz.smob.android.sfinanzstatus.tablet 
com.starfinanz.smob.android.sbanking 
com.palatine.android.mobilebanking.prod 
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 14 of 17

es.cm.android 
es.cm.android.tablet 
com.bestbuy.android 
com.latuabancaperandroid 
com.latuabanca_tabperandroid 
it.copergmps.rt.pf.android.sp.bmps 
com.ykb.android 
aib.ibank.android 
com.jpm.sig.android 
pinacleMobileiPhoneApp.android 
com.fuib.android.spot.online 
com.ukrsibbank.client.android 
ru.alfabank.mobile.ua.android 
ua.aval.dbo.client.android 
ua.com.cs.ifobs.mobile.android.otp 
ua.com.cs.ifobs.mobile.android.pivd 
io.getdelta.android 
com.coinbase.android 
piuk.blockchain.android 
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE 
com.thunkable.android.manirana54.LocalBitCoins 
com.thunkable.android.manirana54.LocalBitCoins_unblock 
com.citizensbank.androidapp 
com.navyfederal.android 
Table 3: Targeted Application List 
Conclusion 
According to our research, there is a substantial increase in the amount of Android Banking Trojans emerging of late.
We have also observed that the malware authors are incorporating new technology to steal information and money
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 15 of 17

from victims. S.O.V.A. is the latest example of this shift in trends.  
S.O.V.A. malware uses the same techniques used by other Android Banking Trojans such as Aberebot,
Cerberus etc. Alongside being a Banking Trojan, the new trojan offers the capability to perform DDoS attacks,
cookie stealing, hiding notifications etc,. The author has mentioned that they plan
to incorporate other dangerous features such as ransomware. 
These trojans can be avoided by following some basic cyber hygiene practices on mobile devices. 
Our Recommendations   
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers.
We recommend that our readers follow the best practices given below:     
1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset. 
2. Use the shared IoCs to monitor and block the malware infection.   
3. Keep your anti-virus software updated to detect and remove malicious software.   
4. Keep your Operating System and applications updated to the latest versions.   
5. Use strong passwords and enable two-factor authentication.   
6. Download and install software only from registered app stores.   
MITRE ATT&CK® Techniques 
Tactic   Technique ID   Technique Name 
Defense Evasion  T1406  Obfuscated Files or Information 
Credential Access  T1414  Capture Clipboard Data 
 Discovery 
T1421
T1430
T1424 
System Network Connections Discovery 
Location Tracking 
Process Discovery 
 Collection 
T1507
T1412
T1432
T1429 
Network Information Discovery 
Capture SMS Messages 
Access Contact List 
Capture Audio 
Command and Control 
T1571
T1573 
Non-Standard Port 
Encrypted Channel 
Impact  T1447  Delete Device Data 
Indicators of Compromise (IoCs):   
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 16 of 17

Indicators 
Indicator
type 
Description 
8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57  SHA256 
Hash of the
APK sample 
efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7  SHA256 
Hash of the
second APK
sample 
795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6  SHA256 
Hash of the
third APK
sample 
dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165  SHA256 
Hash of
the fourth APK
sample 
hxxp://a0545193.xsph[.]ru  URL  C&C URL 
hxxp://l8j1nsk3j5h1msal973nk37[.]fun  URL 
C&C URL of
another
sample 
About Us 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and
exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk
footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as
one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with
offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.  
Source: https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
Page 17 of 17