• Security researchers at Cleafy have been studying the Android banking trojan SOVA and have recently detected an advanced version with added capabilities.

• SOVA Android banking trojan has been active since Sept 2021 and evolved multiple times since. Ver 3 observed in Mar 2022 incorporated the ability to capture 2FA codes and cookies and implemented new injections to target applications from multiple banks.

• Ver 4 released in July 2022 can capture the activity by taking screenshots of the infected devices and thus is able to retrieve more information from the victims. These features, combined with accessibility services, enable the attackers to perform gestures and, fraudulent activities from the infected device. Another feature that has been in the roadmap related to VNC capability has also now been included.

• The present version of the malware, version 5.0 now incorporates ransomware capabilities and has been observed to target over 200 banking and crypto currency exchange apps.

• Ransomware feature not commonly found in Android malware has now been added to the newer version detected by Cleafy along with changes to the communications between the C2 server and the infected device. The malware authors seem to have recognized the fact that increasing number of users are storing important data on their mobile devices.