304 North Cardinal St.
Dorchester Center, MA 02124
The new mobile banking virus ‘Trojan’ – SOVA – which targeted countries like the US, Russia and Spain, added several more countries to its target list in July 2022, including India.
A new mobile banking “Trojan horse” virus – SOVA – that can secretly encrypt an Android phone for ransom and is difficult to uninstall is targeting Indian customers, the country’s federal cyber security agency said in its latest advisory.
The virus had upgraded to its fifth version after it was first detected in Indian cyberspace in July, she said.
“CERT-In has been notified that Indian banking customers are being targeted by a new type of mobile banking malware campaign using the SOVA Android Trojan. The first version of this malware appeared for sale on underground markets in September 2021 with the ability to obtain usernames and passwords through key logging, cookie theft and adding fake overlays to a number of applications,” the advisory said.
SOVA previously targeted countries like the US, Russia and Spain, but in July 2022 added several more countries to its target list, including India.
The latest version of this malware is advised to hide in fake Android apps that appear with the logo of several famous legitimate apps like Chrome, Amazon, NFT (Non-Fungible Token Linked to Cryptocurrency) platform to trick users. to their installation.
“This malware captures credentials when users log into their online banking applications and access their bank accounts. The new version of SOVA appears to target more than 200 mobile apps, including banking apps and crypto exchanges/wallets,” the advisory said.
The Indian Computer Emergency Response Team or CERT-In is the federal technology arm to fight cyber attacks and protects the internet space from phishing and hacking attacks and similar online attacks.
The agency said the malware is distributed through smishing attacks (phishing via SMS), like most Android banking Trojans.
“Once a fake Android app is installed on a phone, it sends a list of all apps installed on the device to the C2 [command and control server] controlled by the threat actor to get a list of targeted apps.”
“At this point, C2 sends back to the malware a list of addresses for each target application and stores this information in an XML file. These targeted applications are then managed through communication between the malware and C2,” he said.
The lethality of the virus can be estimated based on the fact that it can collect keystrokes, steal cookies, capture multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam, and can perform gestures such as clicking on the screen, swiping, etc. accessibility service for Android.
It can also add fake overlays to a number of apps and “impersonate” more than 200 banking and payment apps to trick Android users.
“It has been found that the creators of SOVA have recently upgraded it to the fifth version since its inception, and this version has the ability to encrypt all data on an Android phone and hold it for ransom,” he said.
Another key feature of the virus, according to the advisory, is the refactoring of its “protection” module, which aims to protect itself from various victim actions.
For example, if a user tries to uninstall malware from settings or by pressing an icon, SOVA is able to catch these actions and prevent them by returning to the home screen and displaying a toast (a small pop-up window) showing “This app is secured”.
These attack campaigns can effectively compromise the privacy and security of sensitive customer data and result in “large-scale” attacks and financial fraud, the company said.
The agency also suggested some countermeasures and best practices that users can implement to protect themselves from the virus.
Users should reduce the risk of downloading potentially harmful apps by limiting their download sources to official app stores such as your device manufacturer or operating system app store, they should always check app details, number of downloads, user reviews, comments and “Another ‘Information,'” he said.
You should also verify application permissions and grant only those that have relevant context for the application’s purpose.
They should install regular Android updates and patches and not browse untrusted websites or follow untrusted links and be careful when clicking on any link provided in any unsolicited emails and SMS.