Talk to a fraud fighter

About S.O.V.A. Malware Family

December 22, 2021

Our SOC team has reverse-engineered the peculiar S.O.V.A malware family. In this article read about the uniqueness of S.O.V.A. malware, how it works and some very peculiar details, namely: cookie stealing and its evolution in the cyber wilderness.

S.O.V.A. is one of the newer families of Android malware, that shows banking malware capabilities with a great potential to wreak havoc elsewhere as well. Our research points at that newer versions of the malware are continuously found in the wild, some with updated or added functionality depending on the version.

What makes this malware distinct, beyond its model of development, is its wide range of capabilities and the use of a cookie stealing mechanism.

 

Malware behavior

We have gathered and analyzed multiple samples of the malware, across multiple stages of its development.

The samples we gathered mask themselves as various applications, including Adobe Flashplayer, InPost, DPD, or YouTube Adblocker. The samples do not provide any functionality of the apps that they are imitating.

As it is usual with malware: when the user clicks on the app, he is prompted to allow Accessibility permissions for the app. The user can back out and choose not to, but in a short time, the app will continuously prompt the user to give it the access to critical phone functions.

Once it has the permissions, it will automatically give itself permissions to record audio, access contacts, make and manage phone calls, access files and send and view SMS messages.

The malware seems to rely heavily on command & control (C2, sometimes referred to as C&C) server for most of the malicious activities.

Certainly, the capabilities of the malware differ between the samples, but from what we’ve seen, most of the samples can:

  • Disable notifications, including SMS notifications (some commands enable the notifications back)
  • Send SMS
  • Send data gathered using a keylogger to the C2
  • Create WebViews as overlays, use WebViews to steal cookies, send a notification to the user and create a WebView for him
  • Get two-factor authentication tokens
  • Delete the app from the device
  • Launch applications

We presented some of these features in depth in one of our previous webinars on mobile banking malware:

 

Cookie Stealing

One of the S.O.V.A peculiarities is stealing cookies. This is a rare feature and has not been used widely among Android malware families. (We wrote more about popular Malware families here, and here.)

But due to its power and effect, it is possible that cookie stealing might become a more common feature in future Android malware, as other malware creators get inspired by S.O.V.A.

 

How does cookie stealing work?

The malware uses WebView to load a link for a service that the user wants to access – such as a banking app for example.

Once the user signs into the service, the malware uses CookieManager to extract the cookies associated with the current URL.

The malware then parses the output of CookieManager, saves the cookies in an internal representation, and sends them to the C2 server. The internal representation of the cookie contains attributes like the domain, expiration date, or httpOnly value, so the usual content can be found in cookies.

This in effect allows the fraudsters to clone the cookies and login to protected applications as if they’re the user themselves. Yes, some session and authentication cookies do set expiry date, but still they can be abused in the window until the expiration date.

S.O.V.A. malware evolution

While examining the various samples of the malware, we observed the addition and modification of the code structure, as well as different features and capabilities. A noticeable evolution in the malware samples.

We found this interesting and have further researched the peculiarities. Following is an overview of the observed S.O.V.A. development.

Pre-launch checking

One of the peculiarities we discovered is that the newer versions of the malware do not launch themselves if certain conditions are met.

Firstly, the malware checks the location of the device using services like api.ipify.org and ip-api.com when it is launched.

If the location of the device is on a list within the application, the malware will stop its execution. The list firstly contained these countries: Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Uzbekistan. Later versions also added Ukraine and Indonesia to the list.

The second check consists of checking whether certain applications are installed on the device. Some of the samples check if the device has an application with the package name “ru.sberbankmobile” or “com.idamob.tinkoff.android” (package names of two Russian banking apps).

Fig. 1 The first function (checkCountry) checks if the device’s country is set to a country from a specific list. The second one (checkCountry$checkForSngPackages) checks if certain apps are installed on the device.

 

Newer capabilities of S.O.V.A. malware

In our research, we’ve stumbled upon some functionality that is included in the newer S.O.V.A. malware samples.

One of the newer capabilities focuses on cryptocurrency, wallets and apps.

Some samples included modifying the clipboard if a text similar to a cryptocurrency wallet was detected. Other samples include support for the Trust Wallet and Exodus Wallet apps.

These differences show that the malware is continuously developing and that the focus of the malware change between versions.

 

In some versions, extensions of the code introduced specific phone brands. The Honor, Oppo and Xiaomi brands were targeted at first, later samples added Samsung and Vivo. The extensions add functionality for the accessibility service, like clicking.

The two-factor authenticator code extraction is also a newer feature. It is triggered by a C2 command and there is currently support for just the Google Authenticator app.

The newer samples also focused on protection against uninstalling of the malware. Previously we wrote about how FluBot prevents uninstallation. The same advice we provided then, on how to circumvent the uninstallation protection, is also valid now. They’re noted below.

Obfuscation techniques

The earlier version of the malware does not use any obfuscation techniques to hide some of the hard-coded strings.

All the later versions employ a simple obfuscation technique where a decoding function is used in every class which uses a custom array of numbers that encodes certain strings used in the code. The decoding function is the same for every class and in every sample.

The first sample contains all the necessary files for analysis within a single apk. The later samples packed the classes which execute malicious behavior within the apk and then dynamically unpacked the additional code, but they did not delete the unpacked files. The deletion of the unpacked files was added later.

Third-party software

From the first samples, the malware continuously used Retrofit and OkHttp3. And it contained a Retrofit client for communication with the C2 server.

In later versions of the malware, we observed the inclusion of logging using Timber. Certain actions are logged, such as when cookie stealing is being performed or when Accessibility permissions are granted.

How to get rid of S.O.V.A. malware

As with the FluBot malware, newer versions of the S.O.V.A. malware actively protect against uninstalling by closing the settings app whenever the user attempts to uninstall it.

Though, luckily there are several ways how you can uninstall the malware despite this protection.

  1. Use Android’s safe boot
  2. Hold down the Power button.
  3. Long tap on the Restart option – a prompt will appear; confirm you want to reboot into safe mode.
  4. Go into the system settings, find the malware app among the installed applications and uninstall it.
  5. Use adb – this is a bit more advanced, as you need to connect your device to a PC and issue commands to it through the command line. You can follow this guide to uninstall the malware this way.

How does ThreatMark protect against this malware?

ThreatMark’s SOC team is constantly on the lookout for the latest threats in the digital world. Their mission is to discover threats such as S.O.V.A, dissect and learn the modus operandi.

Once the details are discovered the SOC team updates the Threat Intelligence of our ThreatMark Anti-Fraud Suite so everyone can benefit from it.

Onward all our clients receive detections and alerts on any signs of infection and overlay inject. This intelligence further allows our clients to block any fraudulent transactions, or other activities, coming from the infected devices.

To learn more about how ThreatMark detects mobile malware, and other threats, contact us.

Conclusion

Although the malware is still in the testing phase, its authors are showing great interest in the development of its functionality.

S.O.V.A. features several capabilities that make it powerful and dangerous. From cookie stealing to an ever-changing feature set S.O.V.A. should be on the radar of all cyber security researchers requiring the utmost respect and attention.

Indicators of Compromise

Malware samples:
8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
dd8a5a1a8632d661f152f435b7afba825e474ec0d03d1c5ef8669fdc2b484165
795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6
b2e592c5cf8ccc944c06a11ff156efdfa4233fe46e2281bab3fd238f03b505e3
fa5f2c083a55194aac1c98e66c5603864cb4dba965683748ad5abc54a1b59340
efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7
3a0bef0a6a2cdcd12312a1aef5857330a5bca74d035d180759b056d7d92133b1
2de4f4757e641597145f698299cd85c219c2f1136964bea8a832e5488c4f4d01
6c700cdc2c717cd79969f0677cbf66fca99afcc5346a28b5d6c298db4f2082f2
ea074b596865c2df2b902e466e2fa3ecea69b1f6df50d38645b3e2c81ca30a4a
fad8619bc26b7aa449890f71f081cbb964d3290ddea92a4c3ab3be28714811a0

C2 addresses:
l8j1nsk3j5h1msal973nk37.fun/
a0545193.xsph.ru
Sovamo3lan2s4s31d.top/
ylunosyath.xyz