S1062: S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
Analyst context for executives and security teams
S.O.V.A. matters because it represents Android banking malware aimed at sensitive financial and commerce activity, including banking, cryptocurrency wallet/exchange, and shopping application contexts. The ATT&CK relationships show a broad mobile risk profile: credential and input capture, notification and SMS access, application and system discovery, web-based command communication, persistence or concealment behaviors, and potential impact behaviors such as file encryption or network denial of service. For leaders, the key question is whether mobile devices used for workforce access, financial workflows, or customer-facing operations are governed with enough visibility and response capability to detect and contain this class of Android threat.
Executive priority
Prioritize S.O.V.A. as a mobile security readiness and fraud-resilience issue rather than only a malware signature issue. It is relevant to identity assurance because related behaviors include keylogging, GUI input capture, notification access, SMS message access/control, and session-cookie theft noted in the official description. It is relevant to business continuity because ATT&CK maps it to data encryption for impact and network denial of service. Executives should ask whether Android devices that access corporate, financial, or regulated systems are enrolled, monitored, patch-governed, and removable from trust quickly during an incident.
Technical view
S.O.V.A. is an Android malware object in ATT&CK for Mobile with no official detection guidance provided. Defensive validation should therefore be behavior-led using the mapped techniques: software packing, stored application data access, keylogging, GUI input capture, installed software and system information discovery, web protocol communications, screen capture, input injection through accessibility abuse, notification access, SMS access/control, icon suppression, prevention of app removal, malicious self-uninstall, adversary-in-the-middle positioning, transmitted data manipulation, data encryption for impact, and network denial of service. SOC and IR teams should confirm whether their mobile telemetry can expose suspicious permission grants, accessibility service abuse, SMS and notification access, MediaProjection/screen-capture consent events, device administrator or device owner abuse, hidden launcher icons, unusual app inventory changes, and network communications over HTTP/HTTPS to untrusted infrastructure.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory and compliance state
- Installed application inventory, package metadata, signing/certificate reputation, and app visibility in launcher
- Android permission grants, especially SMS, notification access, accessibility services, screen capture/media projection, VPN, and device administration where available
- Mobile threat defense alerts for packed or obfuscated applications and suspicious app behavior
- Application install, uninstall, self-removal, and failed removal events
Detection direction
- Because MITRE provides no official detection text, validate coverage against the related techniques rather than relying on the S.O.V.A. name alone.
- Tune detections for combinations of risky Android behaviors: accessibility service enablement plus input injection-like activity, notification/SMS access plus financial app presence, screen capture consent plus foreground sensitive apps, or device administrator use plus uninstall resistance.
- Review mobile app vetting for packing or obfuscation because the object is related to Software Packing, which can reduce effectiveness of signature-only controls.
- Monitor for suspicious web protocol communications from newly installed or high-risk Android apps, while accounting for high false-positive volume from normal mobile HTTP/HTTPS traffic.
- Correlate app discovery and system discovery behavior with follow-on access to stored application data, SMS, notifications, or GUI input capture to reduce noise.
Mitigation priorities
- Establish or validate mobile device governance for Android devices that access business, financial, identity, or regulated services, including enrollment, compliance checks, and rapid trust revocation.
- Restrict or closely monitor high-risk permissions and capabilities such as accessibility services, notification access, SMS permissions, screen capture, VPN configuration, and device administration where business policy allows.
- Use mobile application vetting and allow/deny controls for applications used in sensitive workflows, with attention to packed or obfuscated apps and apps impersonating banking, cryptocurrency, exchange, shopping, or security tools.
- Strengthen identity controls so mobile compromise does not equal account compromise: phishing-resistant authentication where feasible, session risk monitoring, and rapid session/cookie invalidation procedures.
- Prepare IR playbooks for suspected Android banking trojan activity, including device isolation, credential/session reset, financial fraud review, preservation of mobile telemetry, and re-enrollment or rebuild decisions.
Analyst notes and limits
The strongest defensive value comes from mapping S.O.V.A. to observable Android behaviors and control gaps. The object description specifically identifies S.O.V.A. as an Android banking trojan observed in banking, cryptocurrency wallet/exchange, and shopping app contexts and notes session cookie theft. The relationship set is unusually broad, so prioritization should focus on the behaviors most relevant to the organization’s mobile use cases: identity access, financial applications, regulated data, and operational dependency on mobile devices.
The supplied ATT&CK object does not provide official detection text, aliases, labels, or tactics, and the relationship descriptions are technique-level context rather than confirmed event telemetry for every environment. This take does not assert current activity, attribution, customer exposure, or guaranteed detectability. Local Android management capabilities, privacy model, BYOD policy, mobile threat defense coverage, and network visibility will determine practical detection and response options.
S.O.V.A.
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1418 | Software Discovery | S.O.V.A. can search for installed applications that match a list of targets.Citationcleafy_sova_1122 |
| Mobile | T1516 | Input Injection | S.O.V.A. can programmatically tap the screen or swipe.Citationcleafy_sova_1122 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | S.O.V.A. can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.Citationthreatfabric_sova_0921 |
| Mobile | T1636.004 | SMS Messages Sub-technique | S.O.V.A. can intercept and read SMS messages.Citationthreatfabric_sova_0921 |
| Mobile | T1409 | Stored Application Data | |
| Mobile | T1513 | Screen Capture | S.O.V.A. can take screenshots and abuse the Android Screen Cast feature to capture screen data.Citationcleafy_sova_1122 |
| Mobile | T1464 | Network Denial of Service | S.O.V.A. has C2 commands to add an infected device to a DDoS pool.Citationthreatfabric_sova_0921 |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | S.O.V.A. can uninstall itself.Citationthreatfabric_sova_0921 |
| Mobile | T1417.001 | Keylogging Sub-technique | S.O.V.A. can use keylogging to capture user input.Citationthreatfabric_sova_0921 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | S.O.V.A. can hide its application icon.Citationthreatfabric_sova_0921 |
| Mobile | T1426 | System Information Discovery | S.O.V.A. can gather data about the device.Citationthreatfabric_sova_0921 |
| Mobile | T1517 | Access Notifications | |
| Mobile | T1406.002 | Software Packing Sub-technique | S.O.V.A. has been distributed in obfuscated and packed form.Citationthreatfabric_sova_0921 |
| Mobile | T1641.001 | Transmitted Data Manipulation Sub-technique | S.O.V.A. can manipulate clipboard data to replace cryptocurrency addresses.Citationthreatfabric_sova_0921 |
| Mobile | T1471 | Data Encrypted for Impact | S.O.V.A. has code to encrypt device data with AES.Citationcleafy_sova_1122 |
| Mobile | T1582 | SMS Control | S.O.V.A. can send SMS messages.Citationthreatfabric_sova_0921 |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | S.O.V.A. can resist removal by going to the home screen during uninstall.Citationthreatfabric_sova_0921 |
| Mobile | T1437.001 | Web Protocols Sub-technique | S.O.V.A. can use the open-source project RetroFit for C2 communication.Citationthreatfabric_sova_0921 |
| Mobile | T1638 | Adversary-in-the-Middle | S.O.V.A. has included adversary-in-the-middle capabilities.Citationthreatfabric_sova_0921 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a4142bab43ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
threatfabric_sova_0921
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
Open source URL -
[2]
cleafy_sova_1122
Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.
Open source URL -
[3]
mitre-attack S1062Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.