SOVA android banking malware

Samridh Ashish
3 min readOct 20, 2022


Banking and Payments replicant Sova banking trojan returns with upgrades.

October 2022

Targeted countries. Credit:

What is Sova?

Sova is a scalable android banking trojan malware which can provide criminals with back-end access to devices for malicious activities through Android banking malware.

About Sova


· Initially announced and released in September 2021 in a beta stage

· It was able to steal usernames and passwords through tactics such as keylogging

· False overlays atop popular mobile applications

2022 (latest version is version 5)

· With recent upgrades, it is now capable of deploying malware to infected devices, along with other dangerous features such as encryption for ransomware.

· It is very flexible, and it can replicate over 200 banking and payment applications, as well as target cryptocurrency wallets.

· Sova can also take screenshots of infected devices and record audio through their microphones.

· Furthermore, SOVA can sneak past multi-factor authentication measures by intercepting MFA tokens, even if the user has deployed them to protect themselves.

Marketing roadmap of SOVA released in Sept’21, Credit:


Sova and similar android malware variants are spread through fraudulent applications hosted on the Google Play store. If a user downloads the app, they are infected by Sova. It is advised to users to practice caution and scrutiny with any downloadable applications. Any applications should never be downloaded anywhere other than a trusted app store or first-party source. Check the reviews and descriptions of applications as well. Businesses can protect themselves from mobile threats like Sova with mobile device management tools. With robust enterprise-level security, users can whitelist or blacklist applications, remotely wipe infected devices, and much more. With these solutions in place, mobile threats can be reduced.

Other notorious mobile banking malware

· AlienBot is based on Malware-as-a-Service (MaaS) model for malicious actors to attack Android devices. Its first stage allows a remote attacker to inject malicious code into legitimate financial applications. When the attacker acquires access to victims’ accounts and ultimately completely controls victims’ devices.

· Anubis- A banking Trojan designed to target Android mobile phones. After the detections, it has added additional features, including RAT functionality, keylogger, covertly audio recording and various ransomware functions. It has been detected on over a hundred applications in the Google Store.

· MaliBot — An android banking malware discovered targeting users in Italy and Spain. This malware disguises itself as a crypto-mining application under different names. It focuses on stealing financial information, crypto wallets and other personal data.

Six of the malicious apps found on Google Play. Credit

Trending banking malware families

· Emotet is an advanced, self-propagating and modular Trojan. It was used as a banking Trojan but is now a distributor of other malware or malicious campaigns. Multiple methods are used for maintaining persistence and defence evasion techniques. It also uses phishing emails containing malicious attachments or links to spread.

· Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is advertised as Malware-as-a-Service (MaaS) on the dark web for affordable price and robust defence evasion techniques. FormBook uses various techniques to extract credentials from several web browsers, spy on the victims by taking screenshots and log keystrokes, and download and execute files according to its command and control orders.

· Snake Keylogger is a keylogger and credential stealer based modular. NET. It was discovered in late November 2020. Its primary function is keylogging and data exfiltration from victims to malicious actors. Its infections threaten users’ privacy and online safety, as the malware can steal virtually all kinds of sensitive information. It is known as a very sophisticated keylogger.