top of page
  • Admin

SOVA Banking Trojan Infects Android Mobile Devices AND Can’t Be Removed

Published: January 21, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

There’s a newly improved mobile banking trojan called SOVA that’s leaving a path of destruction for those using Android mobile devices. Last year, SOVA trojan was found operating in the U.S. and several other countries and is actively expanding its geo-locations. This year, SOVA malware creators added new and improved tools and versions to its arsenal, making it able to target over 200 Android mobile apps, crypto exchanges, and e-wallets.

If wiping-out a victim’s financial account isn’t tragic enough, know that SOVA malware can’t be removed from a device once it’s infected. Adding insult to injury, victims can now attach the cost of a replacement device to their total losses.

Researchers from Cleafy observed how this banking trojan takes hold of a device and the harm it unleashes. Attackers use SMS phishing (smishing) with a link that when clicked, infects a device with SOVA. Once this banking trojan gets in, it gets to work stealing sensitive personal and financial PII, sending it to a command and control server (C2C) run by attackers. SOVA also steals cookies, user credentials, takes screenshots, records strokes on a keyboard (keylogging), and lifts a host of other useful data.

Among the new SOVA tools, one allows abusing Android Accessibility features for credential harvesting using overlay attacks, device screen recordings, and making screen clicks. This improved banking trojan doesn’t miss a trick giving bad actors everything they need to clean out financial accounts.

Prolific Permissions Problem

Another part of SOVA’s success is a fast and furious push forcing numerous permissions, including disabling the ability to uninstall the malware from a device. The victim is clueless about what’s brewing inside their mobile device since the only message they see during download is “This App Is Secured.” It’s secured all right, secured by the hacker and SOVA malware.

App permissions in general can be risky when downloading and should be carefully watched since they pop-up fast and furious during the process. Taking the time to read and approve or deny a permission request can save a user from exposing what’s on their device to someone they’d prefer not have it. As an overall guide, only allow permissions that make sense for the app to function. For example, would a game app need to access your photos, emails or contacts – if it doesn’t make sense, don’t allow it.

Cleafy points out the next iteration of SOVA could include a ransomware component that’s currently under development. Integrating the ransomware feature into SOVA, Cleafy says “…strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data.” Stay tuned and stay informed.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at

bottom of page