Overview

overview

10

Static

static

6

sova.apk

android-9-x86

10

Resubmissions

24-04-2024 11:50

240424-nzl72ahe3w 10

12-04-2024 13:59

240412-ravpnaah86 10

28-02-2024 13:25

240228-qnw9zacf2t 8

28-02-2024 12:56

240228-p6fjhacb22 10

19-02-2024 08:01

240219-jw15kaba7y 10

03-01-2024 08:46

240103-kpajpscdcp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sova.apk

  • Size

    569KB

  • Sample

    240424-nzl72ahe3w

  • MD5

    01b6f0220794476fe19a54c049600ab3

  • SHA1

    eb9dfde47a393bca666e947f285f16c20baf6c32

  • SHA256

    8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

  • SHA512

    ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892

  • SSDEEP

    12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score
10/10
sovaandroidbankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Targets

    • Target

      sova.apk

    • Size

      569KB

    • MD5

      01b6f0220794476fe19a54c049600ab3

    • SHA1

      eb9dfde47a393bca666e947f285f16c20baf6c32

    • SHA256

      8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

    • SHA512

      ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892

    • SSDEEP

      12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

    Score
    10/10
    sovabankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencestealthtrojan

    • Sova

      Android banker first seen in July 2021.

      bankertrojaninfostealersova

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Registers a broadcast receiver at runtime (usually for listening for system events)

      persistence

    • Acquires the wake lock

    • Checks if the internet connection is available

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral1

MITRE ATT&CK Mobile v15

Tasks