Beware, this malware targets more than 200 Android banking and cryptocurrency applications

Malware called SOVA threatens Android smartphones. Increasingly sophisticated, the virus targets more than 200 applications, including banking and cryptocurrency exchange apps. The malware is designed to steal victims’ money and siphon off all their personal data. It can also turn into ransomware.

Cleafy computer security researchers warn users of an Android smartphone. According to experts, a new version of the SOVA malware currently circulating on the web.

This fourth iteration aims more than 200 mobile applications », including apps from banks, cryptocurrency exchange platforms (Binance, Coinbase,, etc.) or digital wallets. The aim of the hackers is to seize the currencies held on these applications.

According to Cleafy’s investigation, SOVA first appeared in September 2021. The developer behind the malware announced the arrival of a new virus on the market through a well-known underground forum ». At that time, the development of SOVA was not yet complete. Several versions of the malware went on sale in the months following the announcement.

On the same topic: Quickly uninstall these 17 Android apps that steal your bank details and passwords

Malware that refuses to be uninstalled

The virus is spreading through dummy apps. In particular, SOVA is found in fake APKs for Chrome, Amazon or non-fungible token (NFT) sale and purchase platforms.

Once installed in the victim’s smartphone, the malware will work to get credentials of certain applications. To achieve this, SOVA will superimpose a window, using the design of the app, when opening the application. The user will then provide his username and password without suspecting the trickery.

Since the release of the fourth version, SOVA is also able to take screenshots unbeknownst to users. This new feature, common to many Trojan horse-type viruses, again makes it possible to discreetly steal victims’ personal data.

In the process, the malware siphons off all the information contained on the targeted terminal, such as login cookies. Thanks to these trackers, a hacker can temporarily bypass the security of certain sites. They also make it possible to bypass the fraud detection mechanisms put in place by certain services, such as PayPal in particular.

To prevent the victim from uninstalling the infected applications, the SOVA developers have implemented security measures. The virus is capable of block a user who tries to uninstall malware from settings or press icon » on the home screen. The malware will then display a warning window titled “This app is secure.”

Malware turned ransomware

Cleafy researchers also spotted a fifth version of SOVA on the Web. This is the latest iteration. Still in development, it has been enriched with a ransomware feature.

Like other ransomware, SOVA can encrypt all stored files on the smartphone. To regain access to these files, the victim will be encouraged to pay a ransom, usually in cryptocurrencies. It’s rare for a Trojan to embed a ransomware module, Cleafy notes. According to the researchers, hackers are adapting to changing uses.

In effect, mobile phones have become the central storage tool for personal and professional data for most people”. To avoid unpleasant surprises, we recommend that you be careful when downloading APK files from the web.

Source :


Leave a Comment