In September 2021, SOVA, a new Android Banking Trojan, was announced in a known underground forum, according to Cleafy.

Until March 2022, multiple versions of SOVA were found, and some of these features were already implemented, such as 2FA interception, cookie stealing and injections for new targets and countries (e.g. multiple Philippine banks).

Now, researchers at Cleafy have discovered a new SOVA version targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets.

Threat actors can obtain screenshots of the infected devices to retrieve more information from the victims, and record and obtain any sensitive information. These features, combined with Accessibility services, enable threat actors to perform gestures and, consequently, fraudulent activities from the infected device, as seen in other Android Banking Trojans, Cleafy researchers found.

During the reviewing of SOVA v4, Cleafy researchers also observed multiple samples that may belong to a further variant of SOVA (v5), with new features and some small changes in the communications between the malware and the C2 server. The new variant seems to be under development, as Cleafy found multiple logs that were used for debugging.  

Although there are several changes in v5, the most interesting feature added in SOVA v5 is the ransomware module that was announced in the roadmap of September 2021. While this feature has been implemented in the current version (v5), it seems to be still under development at the time of writing.

According to Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer (CISO) at Delinea, the significant improvements to SOVA v4 show that attackers can simply expand existing features such as the cookies stealer, which now includes more payment services and applications to exploit.

"Adding ransomware capabilities can have multiple advantages for attackers, such as destroying evidence, so it is difficult for digital forensics to discover any traces or attribution of the attacker and also gives the attacker an additional option to get paid when stealing credentials or cookies is not successful," Carson explains. 

In addition, adding capabilities that allow attackers to grab screenshots and record and execute commands enable an attacker to laterally move around to other systems or applications that might be more lucrative than the current compromised system, Carson says.

"As new internet services specifically in the financial industry get adopted," Carson adds, "attackers will need to keep updating banking trojans with new modules just like any other software company to stay compatible with newer technologies."

For the full Cleafy report, visit