{
	"id": "7b973fad-cd3c-4f8c-8324-af5f235dead3",
	"created_at": "2026-04-06T00:06:11.547024Z",
	"updated_at": "2026-04-10T13:12:43.306414Z",
	"deleted_at": null,
	"sha1_hash": "bde8db280453e3ae82cf1d30da2eb14750967004",
	"title": "S.O.V.A. - A new Android Banking trojan with fowl intentions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2342602,
	"plain_text": "S.O.V.A. - A new Android Banking trojan with fowl intentions\r\nPublished: 2024-10-01 · Archived: 2026-04-05 16:46:46 UTC\r\nIntro\r\nIn the beginning of August 2021, during our daily threat hunting, ThreatFabric researchers came across a new\r\nAndroid banking trojan. Based on the login panel of the C2 server, we could see that it was called S.O.V.A. by its\r\nown creators.\r\nSova is the Russian word for owl. This name was chosen by the threat actor himself/herself possibly because of\r\nowl’s nature as nocturnal birds of prey, quiet but efficient in stalking and capturing their victims. This identifies a\r\ncompletely new, to the best of our knowledge, Android banking trojan. The trojan is currently in development and\r\ntesting phase, and has the objective to add to his overlay and keylogging mechanisms, other higly dangerous\r\nfeatures like DDoS and Ransomware in future versions. There are a few interesting aspects that differentiate this\r\ntrojan to already existing ones, both in features as well as in development.\r\nS.O.V.A. contains features that are usually available in current Android malware, including:\r\nOverlay attacks;\r\nKeylogging;\r\nNotification manipulation.\r\nIn addition, it stands out for a feature that is not as common in Android malware:\r\nSession cookies theft\r\nThis functionality allows the criminals to have access to valid logged in sessions from the users without the need\r\nof knowing the banking credentials.\r\nRegardless, this malware is still in its infancy and it is undergoing a testing phase at the time of writing,\r\nprospecting serious and worrying plans for the near future. This observation is confirmed by a message from its\r\nauthor(s) posted on hacking forums.\r\nThe author publicly advertises for trial of this new product - targeting a large number of banks - looking to\r\nimprove the bot’s functionalities, and test on a large variety of mobile devices. In addition to testing, the authors\r\nhave established a clear roadmap of future features to be implemented in the malware.\r\nLike many others, S.O.V.A. is also taking a page out of traditional desktop malware, confirming a trend that has\r\nbeen existing for the past few years in mobile malware. Including DDoS, Man in the Middle,\r\nand Ransomware to its arsenal could mean incredible damage to end users, in addition to the already very\r\ndangerous threat that overlay and keylogging attacks serve.\r\nRegarding the development, S.O.V.A. also stands out for being fully developed in Kotlin, a coding language\r\nsupported by Android and thought by many to be the future of Android development. If the author promises on\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 1 of 19\n\nfuture features are kept, S.O.V.A. could potentially be the most complete and advanced Android bot to be fully\r\ndeveloped in Kotlin to this day.\r\nNOTE: Just one day before the publishing of this blog, two new versions of S.O.V.A. were found in the wild.\r\nThe new versions do not change radically from the original, but do introduce some new features and\r\ncommands. In the following analysis, the additions brought by the newer version of the malware will be\r\ntagged with a (v2) and (v3) symbols.\r\nA ‘Updates’ section was added at the end of the blog to sum up the new features added.\r\nContext\r\nCurrently, ThreatFabric identified five samples of S.O.V.A. in the wild, with a total of three different malware\r\nversions.\r\nThe following screenshot contains the VirusTotal page for the obfuscated and packed version of S.O.V.A..\r\nThe string highlighted, underneath the file’s hash, is the name the file was uploaded to VirusTotal with. The file\r\nname is ‘vormastor test crypted.apk’. As mentioned in the introduction, we conclude that this malware family is\r\nstill in its testing phase and has been for a few weeks. This is confirmed by a post by the author and seller of\r\nS.O.V.A., who was already looking for testers at the end of July.\r\nAt the beginning of September, this same user published the first post aimed at selling the bot. In the same thread,\r\nthe seller is being criticized by other members for having Russian banks within the list of targets. From this thread\r\nit also seems that the future versions of this Android malware could switch back to Java, to address some\r\ncompatibility issues with the obfuscation software they are using.\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 2 of 19\n\nAccording to the authors, there are already mutiple overlays available for different banking institutions from\r\nthe USA and Spain, but they offer the possibility of creating more in case of necessity from the buyer.\r\nCommands\r\nThe main objective of S.O.V.A. is to gather the victim’s PII.\r\nS.O.V.A. tries its best to remain undetected. To achieve this, S.O.V.A. abuses the overlay mechanic to trick victims\r\ninto revealing their passwords, and other important private information. In an overlay attack, users type their\r\ncredentials in what they think is a legitimate banking app, effectively giving them to a page controlled by the\r\nattacker. S.O.V.A. also has the possibility to steal session cookies from the device. This feature is not unheard of\r\nbut is definitely not common on modern Android Trojans.\r\nLike most of the banking trojans, S.O.V.A. heavily relies on Accessibility Services. When it is started for the first\r\ntime, the malware hides its app icon and abuses the Accessibility Services to obtain all the necessary permissions\r\nto operate properly.\r\nFunctionalities of the bot, as advertised by its authors, include:\r\nSteal Device Data.\r\nSend SMS.\r\nOverlay and Cookie injection.\r\nOverlay and Cookie injection via Push notification.\r\nUSSD execution.\r\nCredit Card overlays with validity check.\r\nHidden interception for SMS.\r\nHidden interception for Notifications.\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 3 of 19\n\nKeylogger.\r\nUninstallation of the app.\r\nResilience from uninstallation from victims.\r\nThe features that S.O.V.A. offers are in line with the standard for Android malware that we are used to see in\r\n2021. However, as previously mentioned, the criminals behind this bot are very proactive and have also released a\r\ndetailed roadmap of the features to be included in the future releases of S.O.V.A.:\r\nAutomatic 3 stage overlay injections.\r\nAutomatic cookie injections.\r\nClipboard manipulation.\r\nDDoS\r\nImproved Panel Health.\r\nRansomware (with overlay for card number).\r\nMan in the Middle (MitM).\r\nNormal Push notifications.\r\nMore overlays.\r\nVNC.\r\n2FA interception.\r\nIt is very interesting to note how this group has a roadmap for their product, including a phase with early adopters\r\nto test the bot and the infrastructure. The second set of features, added in the future developments, are very\r\nadvanced and would push S.O.V.A. into a different realm for Android banking malware. If speculations will\r\nbecome real, it will make S.O.V.A. potentially one of the most advanced bots in circulation combining banking\r\nmalware with automation and botnet capabilities.\r\nNonetheless, this behavior indicates that the authors have a lot of ambitions regarding this malware, making it a\r\nvery dangerous threat for the Android banking ecosystem.\r\nCommands list\r\nThe following list includes all the commands that can be send by the C2 to the bot:\r\nCommand Description\r\nstartddos Start DDoS service\r\nstealer Steal session cookie of specific app\r\nhidensms Hide received SMS\r\nstarthidenpush Hide push notifications\r\ndelbot Delete the bot from device\r\ngetlog Send key logged data\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 4 of 19\n\nCommand Description\r\nstartkeylog Clears key logged data\r\nscaninject Adds new injects to injects list\r\nstopkeylog Same as startkeylog\r\nopeninject Open WebView with link provided\r\nstophidenpush Stop hiding push notifications\r\nsendpush Display Push notification to start WebView Injection\r\nstophidensms Stops hiding received SMS\r\nstopddos Stop DDoS service\r\nstopscan Stops injects\r\nstealerpush Same as sendpush\r\nsendsms Send SMS\r\nscancookie Adds package to cookie stealing list (v2)\r\nstopcookie Removes package names from cookie stealing list (v2)\r\nget2fa Obtains 2 factor Authentications tokes from Google Authenticatos (v3)\r\nAs expected, not all the commands function properly, a few are not implemented fully or are copies of existing\r\nones. This can be a result of the bot being still in the testing and development phase.\r\nCapabilities\r\nHere is a brief description of the main and most interesting functionalities of S.O.V.A.\r\nOverlay Attack\r\nLike the large majority of Android banking trojans, S.O.V.A. relies on Overlay attacks to steal PII from its victims.\r\nIf the user is trying to access a banking application included in S.O.V.A.’s active target list, the malware will be\r\nnotified with Accessibility Services, and will display a WebView overlay posing as the intended banking\r\napplication.\r\nIn addition, the author claims that future S.O.V.A. releases will have what a so-called 3-stage-overlay. In the\r\nscreenshots below you can see a demonstration of this 3-stage-overlay, taken from a demonstration video released\r\nin early September by the criminals themselves. It is not clear what the 3 stages imply, but it could mean more\r\nadvances and realistic process, maybe implying download of additional software to the device.\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 5 of 19\n\nThe target list is contained in an asset file called ‘packageList.txt’. This list is quite extensive, and contains\r\nbanking applications, cryptocurrency wallets, and shopping applications that require credit card access to operate.\r\nIn the following graph you can observe the country distribution of the targets:\r\nAs mentioned before, the authors declared in their online advertisement that at the moment they only have mobile\r\nbanking overlays for banks Spain and USA, but as we have seen before with many other Android banking trojans,\r\nit is very easy for criminals to add new overlays in a very short amount of time.\r\nSession Stealer\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 6 of 19\n\nAnother interesting feature of S.O.V.A., which is uncommon in Android malware, is the ability to steal cookies.\r\nCookies are a vital part of web functionality, which allow users to maintain open sessions on their browsers\r\nwithout having to re-input their credentials repeatedly. A malicious actor in possession on a valid session cookie\r\nhas effectively access to the victim’s logged in web session.\r\nS.O.V.A. will create a WebView to open a legitimate web URL for the target application and steal the cookies\r\nonce the victim successfully logs in, using the Android CookieManager.\r\nThe following code fragment shows how the overlay WebView is created:\r\nthis.setContentView(0x7F070001); // layout:activity_web_view\r\nWebView v1 = (WebView) this.a(0x7F05001D); // id:web_view\r\nChecks.checkNotNullWithName(v1, \"web_view\");\r\nWebSettings webSettings = v1.getSettings();\r\nChecks.checkNotNullWithName(webSettings, \"web_view.settings\");\r\nwebSettings.setJavaScriptEnabled(true);\r\n((WebView) this.a(0x7F05001D)).setLayerType(2, null);\r\n// id:web_viewString\r\nlink = this.getIntent().getStringExtra(\"link\");\r\nboolean getCookieFlag = this.getIntent().getBooleanExtra(\"getCookie\", false);\r\nCookieManager cookieManager = CookieManager.getInstance();\r\nCookieSyncManager.createInstance(this.getApplicationContext());\r\ncookieManager.setAcceptThirdPartyCookies(((WebView) this.a(0x7F05001D)), true);\r\n// id:web_viewcookieManager.acceptCookie();\r\nCookieSyncManager.getInstance().startSync();\r\nWebView webView2 = (WebView) this.a(0x7F05001D);\r\n// id:web_viewChecks.checkNotNullWithName(webView2, \"web_view\");\r\nChecks.checkNotNullWithName(cookieManager, \"cookieManager\");\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 7 of 19\n\nwebView2.setWebViewClient(new CustomWebViewClient(this, ((boolean)(((int) getCookieFlag))), cookieManager));\r\nif (link != null) {\r\n ((WebView) this.a(0x7F05001D)).loadUrl(link);\r\n // id:web_view\r\n}\r\nThe malware does not require specific permissions to run this code, and ThreatFabric has confirmed that it is\r\ncapable of stealing session cookies from major websites like Gmail or PayPal with ease. In the newer version of\r\nS.O.V.A., criminals added the option to create a list of applications to monitor for cookies automatically.\r\nDDoS\r\nDDoS stands for Distributed Denial of Service. It is a type of attack whose objective is to exhaust the resources of\r\na device to make it unavailable to its intended users. Based on the advertisement post, this feature is a work in\r\nprogress and will be available in the future. S.O.V.A. is not the first malware to incorporate DDoS capabilities, but\r\nit is an uncommon feature in the current Android malware ecosystem.\r\nDespite being part of the features to be released, the bot has a startddos command, that will execute the following\r\ncode, within a Kotlin coroutine:\r\ndo {\r\n retrofitManager v3 = this.mRetrofitManager;\r\n if (!v3.isActive) {\r\n return l.a;\r\n }\r\n Objects.requireNonNull(v3.retrofitClient);\r\n this.i = v1_1;\r\n this.j = 1;\r\n} while (retrofitClient.ddosEndpoint.request(this.link, this) != v0);\r\nCurrently, this functionality is listed by the authors as a work in progress. Despite this, the bot is actually able to\r\ncreate requests for the given URL using RetroFit.\r\nRetroFitBuilder DDOSretroFitBuilder = new RetroFitBuilder();\r\nDDOSretroFitBuilder.setHTTPClient(okHTTPClient);\r\nDDOSretroFitBuilder.setBaseUrl(\"http://google.com/\");\r\nmyConverterFactory DDoSConverterFactory = myConverterFactory.c();\r\nDDOSretroFitBuilder.converterFactories.add(DDoSConverterFactory);\r\nretrofitClient.ddosEndpoint = (ddosEndpoint) DDOSretroFitBuilder.buildRetrofit().getProxyClass(ddosEndpoint.clas\r\nDespite setting ‘google.com’ as base URL, by using the @Url annotation from RetroFit, the authors are able to\r\ndynamically input a completely new URL. As DDoS is not listed in the bot capabilities, it is likely that the\r\ncriminals do not fully trust this implementation to consider it a complete feature yet.\r\nClipper \u0026 Cryptocurreny wallets\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 8 of 19\n\nAnother feature that is incorporated in S.O.V.A., that we observed in other malware like Medusa, is the ability of\r\naltering the data in the system clipboard. The bot sets up an event listener, designed to notify the malware\r\nwhenever some new data is saved in the clipboard. If the string of data is potentially a cryptocurrency wallet\r\naddress, S.O.V.A. substitutes it with a valid address for the corresponding cryptocurrency.\r\nThe supported cryptocurrencies are Bitcoin, Ethereum, Binance coin, and TRON. The relative addresses can be\r\nfound in the IOC section. The following code snippet shows the checks for Binance Coin:\r\nString v1 = v0.substring(0, 3);\r\nChecks.checkNotNullWithName2(v1, \"(this as java.lang.Strin…ing(startIndex, endIndex)\");\r\nif (Checks.nullOrEqual(v1, \"bnb\")) {\r\n this.b.setText(clipboardManager.bnbAddress);\r\n}\r\nCurrently, the corresponding wallets are either empty or almost empty. Here in the following image, you can see\r\nthe Bitcoin related wallet:\r\nThe wallet does have a relative high number of transactions, and a zero balance, indicating that they could be part\r\nof a network of wallets used to redirect stolen cryptocurrencies from the victims to the criminals.\r\nC2 Communication\r\nS.O.V.A. relies on the open-source project of RetroFit for its communication with the C2 server.\r\nRetrofit is a type-safe REST client for Android, Java and Kotlin developed by Square. The library provides a\r\npowerful framework for authenticating and interacting with APIs and sending network requests with OkHttp.\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 9 of 19\n\nNOTE : ThreatFabric wants to explicitly mention that RetroFit is a legitimate and legal product. The\r\ndevelopers that created this project have no control over the misuse of their software.\r\nC2 methods\r\nBelow is a complete list of the methods supported by the bot through its RetroFit client. These are the commands\r\nthat the bot can send to the C2 to request, or to send back, information. The methods can be sent to API endpoint\r\nusing a GET message in the form “/api/?method=\", plus the parameters required.\r\nMessage Description\r\nbots.update send ping message\r\npush.new send notification text\r\nnumber.update send phone number\r\nsms.new send sms text\r\nbots.new registration (gets back the cryptowallet addresses)\r\ncommand.delete deletes session cookie with c2\r\nC2 Endpoints\r\nThese are the endpoints reachable on the C2:\r\nEndpoint Description\r\n/api Main API endpoint\r\n/keylog.php where Keylog stolen is sent\r\n/testpost.php send keylog and cookie stolen. Used for testing\r\n/logpost.php send logs (v2)\r\nUpdates\r\nAs expected with under-development malware, new versions surface very quickly, often adding new features or\r\ncorrecting malfunctions.\r\nS.O.V.A. is no different: in the span of the 24 hours before the planned publishing of this blogpost, the bot passed\r\nfrom version 1 to version 3, adding 3 new commands and some new features. This is already an extensive blog, so\r\nwe will try to briefly sum up the most important modifications and additions.\r\nNew commands\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 10 of 19\n\nThree new commands were added to S.O.V.A.:\r\nscancookie (v2)\r\nstopcookie (v2)\r\nThese first two commands add an automation layer to the cookie stealing mechanism. In the first iteration, session\r\nstealing could happen only when prompted by a command by the C2. if the command ‘stealer’ was sent, a cookie\r\nstealing overlay would be started. With the introduction of this two commands, the criminals can now add\r\napplications to a list of “session-stealer targets”, creating a more automatized and scalable option.\r\nget2fa (v3)\r\nThe third command allows criminals to steal 2 Factor Authentication codes from the “Google Authenticator” app,\r\nabusing Accessiblility services to launch and log valid codes.\r\nNew Features\r\nTwo main features were added in the new versions of the malware. These features are the direct effect of open\r\ncritics suffered by the authors of S.O.V.A. from other malware authors in the forum thread created to sell this bot.\r\nThe first feature was added to address the accusation of targeting the CIS region, caused by having some russian\r\ninstitutions in the ‘packageList.txt’ target list. The authors added a country check based on the devices locale and\r\non IP checks, to avoid targeting devices from the following regions:\r\nAzerbaijan\r\nArmenia\r\nBelarus\r\nKazakhstan\r\nKyrgyzstan\r\nMoldova\r\nRussia\r\nTajikistan\r\nUzbekistan\r\nHere is a snippet of the corresponding code:\r\n// safe country List: \"AZ\", \"AM\", \"BY\", \"KZ\", \"KG\", \"MD\", \"RU\", \"TJ\", \"UZ\"\r\nprivate final void checkCountry() {\r\n Timber.d(\"Running country check\", new Object[0]);\r\n String v1 = this.getResources().getConfiguration().locale.getCountry();\r\n Intrinsics.checkNotNullExpressionValue(v1, \"resources.configuration.locale.country\");\r\n if (ConstantsKt.getListCountry().contains(v1)) {\r\n Timber.d(\"Invalid locale. Exit...\", new Object[0]); \u003e this.finish();\r\n return;\r\n }\r\n Function1 v2 = (Function1) new LauncherActivity.checkCountry .1(this);\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 11 of 19\n\nthis.retrofitUtil.checkCountry(v2);\r\n}\r\nin addition, the malware also makes sure to not run whenever the following two Russian banks applications are\r\ninstalled on the device:\r\nPackage App Name\r\ncom.idamob.tinkoff.android Tinkoff\r\nru.sberbankmobile СберБанк Онлайн\r\nThe second feature correspond to a more extensive support for Chinese phone manufacturers, again following\r\nrequests from fellow criminals. For these manufactures, the authors added more extensive accesibility service\r\nsupport, to increase the effectiveness of the malware to a wider number of devices.\r\nFuture Features\r\nDespite them not being yet advertised or used, the new version also sports some in-the-works code that suggests\r\nwhat new features might be added in the future.\r\nTelegram API support\r\nA new Endpoint API class was added to support Telegram communication. From what we can see, the authors\r\nmight be inspired by Aberebot, as it looks like this endpoint will be used by the author to monitor any new\r\ninformation gathered by the malware. Here is the definition of the RetroFit Endpoint:\r\n@GET(\"/bot{botId}/sendMessage\") Object sendInfo(@Path(\"botId\") String arg1, @Query(\"chat_id\") String arg2, @Que\r\nThere are also another endpoint, called CheckCriptaAPI. This endpoint is not used at the moment, but considering\r\nthat the author have admitted to have had issues with the ecnryption and obfuscation of their product, this might\r\nbe a debugging class used for that purpose.\r\nConclusion\r\nThis current year we have observed an explosion of Android banking malware families; in number and volume.\r\nThe global pandemic has changed the way we interact and resulted in a even sharper increase of mobile payment\r\nusage. For this reason, it comes to no surprise that threat actors have followed the massive shift to mobile banking,\r\nand are finding ways to exploit newly emerging technologies and changing behaviour.\r\nS.O.V.A. - a new sophisticated malware - is the clear example of this trend. It is still a project in its infancy, and\r\nnow provides the same basic features as most other modern Android banking malware. However, the author\r\nbehind this bot clearly has high expectations for his product, and this is demonstrated by the author’s dedication to\r\ntest S.O.V.A. with third parties, as well as by S.O.V.A.’s explicit feature roadmap.\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 12 of 19\n\nThe current version of S.O.V.A. is capable of stealing credentials and session cookies through overlay attacks,\r\nkeylogging, hiding notifications, and manipulating the clipboard to insert modified cryptocurrency wallet\r\naddresses. If the authors adhere to the roadmap, it will also be able to feature on-device fraud through VNC,\r\nDDoS capabilities, Ransomware, and advanced overlay attacks. These features would make S.O.V.A. the most\r\nfeature-rich Android malware on the market and could become the ‘new norm’ for Android banking trojans\r\ntargeting financial institutions.\r\nHow we help our customers\r\nThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most\r\nadvanced threat intelligence for mobile banking, financial institutions can build a risk-based mobile security\r\nstrategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.\r\nTogether with our customers and partners, we are building an easy-to-access information system to tackle the ever\r\ngrowing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence\r\nAlliance (CDA) for collaborating and proactively sharing knowledge and information across the financial sector\r\nto fight cyber-threats.\r\nThreatFabric has partnerships with TIPs all over the world.\r\nIf you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to\r\ncontact us at: sales@threatfabric.com\r\nIf you want more information on how we detect mobile malware on mobile devices, you can directly contact us\r\nat: info@threatfabric.com\r\nAppendix\r\nS.O.V.A. Samples\r\nObfuscation Hash\r\nUnobfuscated v1 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57\r\nObfuscated v1 efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7\r\nObfuscated v2 dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165\r\nObfuscated v3 b2e592c5cf8ccc944c06a11ff156efdfa4233fe46e2281bab3fd238f03b505e3\r\nC2 URL\r\nURL\r\nhxxp://l8j1nsk3j5h1msal973nk37[.]fun\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 13 of 19\n\nURL\r\nhxxp://a0545193.xsph[.]ru\r\nCryptocurrency wallets\r\nDuring our analysis, we were able to obtain the following cryptocurrency wallet addresses from S.O.V.A.’s C2.\r\nAfter a few days, the C2 stopped sending these as valid responses, and started sending back only placeholder\r\nstrings.\r\nCrypto Address\r\nBTC 18PJPLZutdZUV16uiXkX9KXX1kHw5UiJHV\r\nETH 0xbD1bB3101fCc1A2724C3c5c4F10Fa062DF87E134\r\nBNB bnb1lwf4kzw74wuf0zmsg25fjh44pzpdwhavn3n9dq\r\nTRX TUGyDe7eGJi2DVDMxc2KExksF29vHsZcQm\r\nTargets\r\nThis is a list of the institutions or applications that are targeted via overlay:\r\nInstitution / Application\r\nmail.com\r\nDeutsche Bank\r\nNetflix\r\nBBVA Net Cash ES \u0026 PT\r\nCaixa Geral de Depósitos\r\nBankia\r\nCajalnet\r\nBi en Línea\r\nUnicajaMovil\r\nBankinter Móvil\r\nSantander Empresas\r\nPibank\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 14 of 19\n\nInstitution / Application\r\nIbercaja\r\nABANCA Empresas\r\nBanca Móvil Laboral Kutxa\r\nKutxabank\r\nNBapp Spain\r\nBBVA Spain\r\nimaginBank - Your mobile bank\r\nCajasur\r\nSantander\r\nGoole Passwords\r\nGmail\r\npassword\r\nyahoo mail\r\nAT\u0026T\r\nVerizon\r\nBlockhchain\r\nTrust Wallet\r\nCoinbase\r\nBBVA\r\nSuntrust\r\nPNC Bank\r\nBank of America\r\nCapital ONE\r\nCiti Bank\r\nCitizen\r\nSunCorp\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 15 of 19\n\nInstitution / Application\r\nUSAA Bank\r\nWells Fargo\r\nPayPal\r\nUber\r\nEVO banco\r\nIn case any of the following packages is present in the victim’s device, the criminals are notified:\r\nPackageName AppName\r\ncom.google.Android.apps.authenticator2 Google Authenticator\r\ncom.bankaustria.Android.olb Bank Austria MobileBanking\r\ncom.cibc.Android.mobi CIBC Mobile Banking®\r\ncom.rbc.mobile.Android RBC Mobile\r\ncz.airbank.Android My Air\r\ncom.kutxabank.Android Kutxabank\r\nes.lacaixa.mobile.Android.newwapicon CaixaBank\r\ncom.mtel.Androidbea BEA 東亞銀行\r\njp.co.aeonbank.Android.passbook\r\nイオン銀行通帳アプリ かんたんログイン\r\n＆残高・明細の確認\r\ncom.barclays.ke.mobile.Android.ui Barclays Kenya\r\nnz.co.anz.Android.mobilebanking ANZ goMoney New Zealand\r\nalior.bankingapp.Android Usługi Bankowe\r\nwit.Android.bcpBankingApp.millenniumPL Bank Millennium\r\ncom.idamobile.Android.hcb Мобильный банк - Хоум Кредит\r\nru.rosbank.Android ROSBANK Online\r\ncom.vkontakte.Android VK — live chatting \u0026 free calls\r\nru.taxovichkof.Android Taxovichkof\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 16 of 19\n\nPackageName AppName\r\nhr.asseco.Android.jimba.mUCI.ro Mobile Banking\r\nmay.maybank.Android Maybank2u\r\ncom.amazon.mShop.Android.shopping\r\nAmazon Shopping - Search, Find, Ship, and\r\nSave\r\nru.alfabank.mobile.Android Альфа-Банк (Alfa-Bank)\r\ncom.idamob.tinkoff.Android Tinkoff\r\nru.vtb24.mobilebanking.Android VTB-Online\r\ncom.akbank.Android.apps.akbank_direkt Akbank\r\ncom.akbank.Android.apps.akbank_direkt_tablet Akbank Direkt Tablet\r\ncom.akbank.Android.apps.akbank_direkt_tablet_20 -\r\ncom.ykb.Android Yapı Kredi Mobile\r\ncom.ykb.Android.mobilonay Y apı Kredi Corporate-For Firms\r\ncom.ykb.Androidtablet Yapı Kredi Mobil Şube\r\nbiz.mobinex.Android.apps.cep_sifrematik Garanti BBVA Cep Şifrematik\r\ncom.matriksmobile.Android.ziraatTrader Ziraat Trader\r\nde.comdirect.Android comdirect mobile App\r\nde.fiducia.smartphone.Android.banking.vr VR Banking Classic\r\nfr.creditagricole.Androidapp Ma Banque\r\ncom.boursorama.Android.clients Boursorama Banque\r\ncom.caisseepargne.Android.mobilebanking Banque\r\nfr.lcl.Android.customerarea Mes Comptes - LCL\r\ncom.paypal.Android.p2pmobile\r\nPayPal Mobile Cash: Send and Request\r\nMoney Fast\r\ncom.usaa.mobile.Android.usaa USAA Mobile\r\ncom.chase.sig.Android Chase Mobile\r\ncom.grppl.Android.shell.BOS\r\nBank of Scotland Mobile Banking: secure on\r\nthe go\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 17 of 19\n\nPackageName AppName\r\ncom.rbs.mobile.Android.natwestoffshore NatWest International\r\ncom.rbs.mobile.Android.natwest NatWest Mobile Banking\r\ncom.rbs.mobile.Android.natwestbandc NatWest Business Banking\r\ncom.rbs.mobile.Android.rbs Royal Bank of Scotland Mobile Banking\r\ncom.rbs.mobile.Android.rbsbandc RBS Business Banking\r\ncom.rbs.mobile.Android.ubr Ulster Bank RI Mobile Banking\r\ncom.grppl.Android.shell.halifax Halifax: the banking app that gives you extra\r\ncom.grppl.Android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side\r\ncom.barclays.Android.barclaysmobilebanking Barclays\r\ncom.unionbank.ecommerce.mobile.Android Union Bank Mobile Banking\r\nau.com.ingdirect.Android ING Australia Banking\r\ncom.cba.Android.netbank CommBank app for tablet\r\ncom.anz.Android.gomoney ANZ Australia\r\ncom.anz.Android ANZ Mobile Taiwan\r\nde.fiducia.smartphone.Android.banking.vr VR Banking Classic\r\nit.volksbank.Android Volksbank · Banca Popolare\r\nde.fiducia.smartphone.Android.securego.vr VR-SecureGo\r\ncom.starfinanz.smob.Android.sfinanzstatus Sparkasse Ihre mobile Filiale\r\ncom.starfinanz.mobile.Android.pushtan S-pushTAN\r\ncom.starfinanz.smob.Android.sfinanzstatus.tablet Sparkasse fürs Tablet\r\ncom.starfinanz.smob.Android.sbanking Sparkasse+ Finanzen im Griff\r\ncom.palatine.Android.mobilebanking.prod ePalatine Particuliers\r\nes.cm.Android Bankia\r\nes.cm.Android.tablet Bankia Tablet\r\ncom.bestbuy.Android Best Buy\r\ncom.latuabancaperAndroid Intesa Sanpaolo Mobile\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 18 of 19\n\nPackageName AppName\r\ncom.latuabanca_tabperAndroid La tua banca per Tablet\r\nit.copergmps.rt.pf.Android.sp.bmps Banca MPS\r\ncom.ykb.Android Yapı Kredi Mobile\r\naib.ibank.Android AIB Mobile\r\ncom.jpm.sig.Android J.P. Morgan Mobile\r\npinacleMobileiPhoneApp.Android PINACLE®\r\ncom.fuib.Android.spot.online PUMB Online\r\ncom.ukrsibbank.client.Android UKRSIB online\r\nru.alfabank.mobile.ua.Android Alfa-Mobile Ukraine\r\nua.aval.dbo.client.Android Raiffeisen Online Ukraine\r\nua.com.cs.ifobs.mobile.Android.otp OTP Smart\r\nua.com.cs.ifobs.mobile.Android.pivd Pivdenny MyBank\r\nio.getdelta.Android\r\nDelta - Bitcoin \u0026 Cryptocurrency Portfolio\r\nTracker\r\ncom.coinbase.Android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\npiuk.blockchain.Android\r\nBlockchain Wallet. Bitcoin, Bitcoin Cash,\r\nEthereum\r\ncom.thunkable.Android.santoshmehta364.UNOCOIN_LIVE UNOCOIN LIVE\r\ncom.thunkable.Android.manirana54.LocalBitCoins LocalBitCoins\r\ncom.thunkable.Android.manirana54.LocalBitCoins_unblock UNBLOCK Local BitCoins\r\ncom.citizensbank.Androidapp Citizens Bank Mobile Banking\r\ncom.navyfederal.Android Navy Federal Credit Union\r\nSource: https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nhttps://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html\r\nPage 19 of 19\n\nreturn; }    \nFunction1 v2 = (Function1) new LauncherActivity.checkCountry  .1(this);\n   Page 11 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"
	],
	"report_names": [
		"sova-new-trojan-with-fowl-intentions.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bde8db280453e3ae82cf1d30da2eb14750967004.pdf",
		"text": "https://archive.orkl.eu/bde8db280453e3ae82cf1d30da2eb14750967004.txt",
		"img": "https://archive.orkl.eu/bde8db280453e3ae82cf1d30da2eb14750967004.jpg"
	}
}