The new mobile banking ‘Trojan’ virus – SOVA – which was focused on countries such as the US, Russia and Spain in July 2022, added several other countries including India to its list of targets.
The new mobile banking ‘Trojan’ virus – SOVA – which was focused on countries such as the US, Russia and Spain in July 2022, added several other countries including India to its list of targets.
A new mobile banking ‘Trojan’ virus – SOVA – that can secretly encrypt an Android phone for ransom and is difficult to uninstall, is targeting Indian customers, the country’s federal cyber security agency said in its latest advice. said in.
The virus has been upgraded to its fifth version after it was first detected in Indian cyberspace in July.
“It has been reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan. The first version of this malware appeared for sale in underground markets in September 2021, with the ability to harvest usernames and passwords via key logging, steal cookies and add false overlays to multiple apps,” the advisory said.
SOVA, it said, was earlier focusing on countries such as the US, Russia and Spain, but in July 2022 it added several other countries, including India, to its list of targets.
The latest version of this malware, according to the advisory, hides itself within fake Android applications with the logos of some well-known legitimate apps like Chrome, Amazon, NFT (Fungible Tokens associated with crypto currency) platforms to deceive users. appears. in installing them.
“This malware captures the credentials when users log into their net banking app and access bank accounts. The new version of SOVA is targeting over 200 mobile applications, including banking apps and crypto exchanges/wallets,” the advisory said.
The Indian Computer Emergency Response Team or CERT-In is the federal technology arm for combating cyber attacks and protecting the Internet space against phishing and hacking attacks and similar online attacks.
The agency said the malware, like most Android banking Trojans, is distributed through smishing (phishing via SMS) attacks.
“Once the fake Android application is installed in the phone, it sends a list of all the applications installed on the device to C2. [command and control server] Controlled by a threat actor to obtain a list of targeted applications.”
“At this point, C2 sends the list of addresses for each targeted application back to the malware and stores this information inside an XML file. These targeted applications are then managed through communication between the malware and C2,” it said.
The lethality of the virus can be gauged from the fact that it can collect keystrokes, steal cookies, intercept Multi-Factor Authentication (MFA) tokens, take screenshots and record videos from webcams. and can use gestures like screen click, swipe etc. Android Accessibility Service.
It can also add false overlays to a range of apps and “mimic” more than 200 banking and payment applications to deceive Android users.
“It turns out that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the ability to encrypt all data on an Android phone and hold it for ransom,” Said it.
According to the advisory, another key feature of the virus is the refactoring of its “protection” module, which aims to protect itself from various victim actions.
For example, it said, if the user tries to uninstall malware from the settings or presses the icon, SOVA is able to prevent these actions by returning to the home screen and showing a toast (small popup)” This app” displays. is safe”.
These attack campaigns can effectively jeopardize the privacy and security of sensitive customer data and result in “massive” attacks and financial fraud.
The agency also suggested some counter-measures and best practices that can be taken by users to keep them safe from the virus.
Users should minimize the risk of downloading potentially harmful apps by limiting their download sources to official app stores, such as your device’s manufacturer or operating system “Extra” should be reviewed. Information” section, it said.
One should verify app permissions and grant only those who have context relevant to the purpose of the app.
They should regularly install Android updates and patches and should not browse untrusted websites or follow untrusted links and should be careful while clicking on the links provided in any unsolicited emails and SMS.