SOVA, an Android banking trojan, has evolved with new features and additional code improvements. This time it has come up with a ransomware module to encrypt files on Android devices.

The new SOVA version

The new upgraded version allows SOVA to target over 200 banking, digital wallet, and cryptocurrency exchange applications, with attempts to steal, encrypt, and lock important data and cookies.
  • The latest version adds a ransomware module, allowing the attacker to encrypt the files on the victim’s machine.
  • In this version, the features are refactored, along with improved code that helps the operators to stay stealthy on the infected Android device.
  • In this version, the VNC module is missing, implying that v5 is still under development. However, SOVA v5 is ready for mass deployment even in its present unfinished form.

The backstory

Researchers at Cleafy have been tracking the evolution of SOVA since its announcement in September 2021. At that time, the authors of malware had announced a roadmap with the future update. Now, they have released their new upgraded version 5 in a short span of time.
  • In March, SOVA released version 3 with 2FA interception, cookie stealing, and new injections for multiple banks. Injections are overlays shown over genuine login prompts to steal credentials, (e.g. bank apps).
  • In July, SOVA's development team released version 4, which increased the list of targeted apps to 200 and added virtual network computing capabilities for on-device fraud.


The authors behind the SOVA malware seem to be determined and capable enough to improve the threat continuously. Cybercriminals sticking to a set development timeline and upgrading with new features every few months need cyber experts to use intelligent solutions, such as leveraging services of threat intel platforms.
Cyware Publisher