sova | 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

Resubmissions

24-04-2024 11:50

240424-nzl72ahe3w 10

12-04-2024 13:59

28-02-2024 13:25

28-02-2024 12:56

19-02-2024 08:01

03-01-2024 08:46

Analysis

max time kernel
303s
max time network
310s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
12-04-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sova.apk
Size

569KB
MD5

01b6f0220794476fe19a54c049600ab3
SHA1

eb9dfde47a393bca666e947f285f16c20baf6c32
SHA256

8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
SHA512

ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892
SSDEEP

12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score

10^/10

sova banker collection discovery evasion infostealer stealth trojan

Malware Config

Signatures

Sova
Android banker first seen in July 2021.
banker trojan infostealer sova

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.adobe.flashplayer

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.adobe.flashplayer
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adobe.flashplayer

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.adobe.flashplayer

pid process

5006 com.adobe.flashplayer
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Acquires the wake lock 1 IoCs

Processes:

com.adobe.flashplayer

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.adobe.flashplayer
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

pid	process
5006	com.adobe.flashplayer

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adobe.flashplayer

flow	ioc
4	api.ipify.org
5	api.ipify.org

com.adobe.flashplayer
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Acquires the wake lock
PID:5006

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads