The SOVA Android banking trojan has added a new ransomware feature that encrypts files on mobile devices.
The new version 5 of the malware comes with a ransomware module that uses AES encryption to lock all files in infected devices and attach the “.enc” to the renamed, encrypted files.
While it is not yet widely used, Cleafy researchers said the new version of the malware is ready for mass deployment.
SOVA’s new capabilities were uncovered by threat analysts at mobile security firm Cleafy.
According to the researchers, SOVA released version 3 in March 2022. For version 3, the malware added 2FA interception, cookie theft and new injections for several banks worldwide.
SOVA developed version 4, which was released in July 2022.
These features allow the malware to target over 200 banking applications, cryptocurrency exchanges and digital wallets to steal sensitive user data and cookies from them.
Version 4 also provided support for commands such as screenshots, clicks and swipes, copying and pasting files, and arbitrary use of overlay screens. Code refactoring in the cookie stealer mechanism has also been extended to version 4. This mechanism targets Gmail, GPay, and Google Password Manager.
To protect it against server defences, SOVA added some defences, including the abuse of accessibility permissions to push the user back to the home screen when trying to manually uninstall the app.
The sources for this piece include an article in BleepingComputer.