Skip to content

S1062 S.O.V.A.

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for “owl”, contains features not commonly found in Android malware, such as session cookie theft.21

Item Value
ID S1062
Associated Names
Version 1.0
Created 06 February 2023
Last Modified 13 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications S.O.V.A. can silently intercept and manipulate notifications. S.O.V.A. can also inject cookies via push notifications.2
mobile T1638 Adversary-in-the-Middle S.O.V.A. has included adversary-in-the-middle capabilities.2
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols S.O.V.A. can use the open-source project RetroFit for C2 communication.2
mobile T1471 Data Encrypted for Impact S.O.V.A. has code to encrypt device data with AES.1
mobile T1641 Data Manipulation -
mobile T1641.001 Transmitted Data Manipulation S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.2
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon S.O.V.A. can hide its application icon.2
mobile T1629 Impair Defenses -
mobile T1629.001 Prevent Application Removal S.O.V.A. can resist removal by going to the home screen during uninstall.2
mobile T1630 Indicator Removal on Host -
mobile T1630.001 Uninstall Malicious Application S.O.V.A. can uninstall itself.2
mobile T1417 Input Capture -
mobile T1417.001 Keylogging S.O.V.A. can use keylogging to capture user input.2
mobile T1417.002 GUI Input Capture S.O.V.A. can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.2
mobile T1516 Input Injection S.O.V.A. can programmatically tap the screen or swipe.1
mobile T1464 Network Denial of Service S.O.V.A. has C2 commands to add an infected device to a DDoS pool.2
mobile T1406 Obfuscated Files or Information -
mobile T1406.002 Software Packing S.O.V.A. has been distributed in obfuscated and packed form.2
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages S.O.V.A. can intercept and read SMS messages.2
mobile T1513 Screen Capture S.O.V.A. can take screenshots and abuse the Android Screen Cast feature to capture screen data.1
mobile T1582 SMS Control S.O.V.A. can send SMS messages.2
mobile T1418 Software Discovery S.O.V.A. can search for installed applications that match a list of targets.1
mobile T1409 Stored Application Data S.O.V.A. can gather session cookies from infected devices. S.O.V.A. can also abuse Accessibility Services to steal Google Authenticator tokens.21
mobile T1426 System Information Discovery S.O.V.A. can gather data about the device.2