S1062 S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for “owl”, contains features not commonly found in Android malware, such as session cookie theft.21
| Item | Value |
|---|---|
| ID | S1062 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 February 2023 |
| Last Modified | 13 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | S.O.V.A. can silently intercept and manipulate notifications. S.O.V.A. can also inject cookies via push notifications.2 |
| mobile | T1638 | Adversary-in-the-Middle | S.O.V.A. has included adversary-in-the-middle capabilities.2 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | S.O.V.A. can use the open-source project RetroFit for C2 communication.2 |
| mobile | T1471 | Data Encrypted for Impact | S.O.V.A. has code to encrypt device data with AES.1 |
| mobile | T1641 | Data Manipulation | - |
| mobile | T1641.001 | Transmitted Data Manipulation | S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.2 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | S.O.V.A. can hide its application icon.2 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.001 | Prevent Application Removal | S.O.V.A. can resist removal by going to the home screen during uninstall.2 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.001 | Uninstall Malicious Application | S.O.V.A. can uninstall itself.2 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | S.O.V.A. can use keylogging to capture user input.2 |
| mobile | T1417.002 | GUI Input Capture | S.O.V.A. can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.2 |
| mobile | T1516 | Input Injection | S.O.V.A. can programmatically tap the screen or swipe.1 |
| mobile | T1464 | Network Denial of Service | S.O.V.A. has C2 commands to add an infected device to a DDoS pool.2 |
| mobile | T1406 | Obfuscated Files or Information | - |
| mobile | T1406.002 | Software Packing | S.O.V.A. has been distributed in obfuscated and packed form.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | S.O.V.A. can intercept and read SMS messages.2 |
| mobile | T1513 | Screen Capture | S.O.V.A. can take screenshots and abuse the Android Screen Cast feature to capture screen data.1 |
| mobile | T1582 | SMS Control | S.O.V.A. can send SMS messages.2 |
| mobile | T1418 | Software Discovery | S.O.V.A. can search for installed applications that match a list of targets.1 |
| mobile | T1409 | Stored Application Data | S.O.V.A. can gather session cookies from infected devices. S.O.V.A. can also abuse Accessibility Services to steal Google Authenticator tokens.21 |
| mobile | T1426 | System Information Discovery | S.O.V.A. can gather data about the device.2 |