sova | 8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57

Resubmissions

24-04-2024 11:50

240424-nzl72ahe3w 10

12-04-2024 13:59

28-02-2024 13:25

28-02-2024 12:56

19-02-2024 08:01

03-01-2024 08:46

Analysis

max time kernel
88s
max time network
87s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
24-04-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sova.apk
Size

569KB
MD5

01b6f0220794476fe19a54c049600ab3
SHA1

eb9dfde47a393bca666e947f285f16c20baf6c32
SHA256

8a6889610a18296e812fabd0a4ceb8b75caadc5cec1b39e8173c3e0093fd3a57
SHA512

ac3031a6dbc5bb0d1e609979336487f14efe58f8e87480e5ef7f79c2abae56977ca444bbb5bbc7970d9c416f9c754b9fedf2bdef3b7b311c2e95e07350f9c892
SSDEEP

12288:C89uYjYV1jiNQ7l5DFQo2d8GmEFDipRdWp8+iZiZ5t:9jYniCF6d8iiXg825t

Score

10^/10

sova banker collection credential_access discovery evasion impact infostealer persistence stealth trojan

Malware Config

Signatures

Sova
Android banker first seen in July 2021.
banker trojan infostealer sova

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adobe.flashplayer
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.adobe.flashplayer

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4246	com.adobe.flashplayer

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.adobe.flashplayer

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.adobe.flashplayer

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adobe.flashplayer

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.adobe.flashplayer

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org
13	api.ipify.org

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.adobe.flashplayer

com.adobe.flashplayer
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Obtains sensitive information copied to the device clipboard
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4246