The new mobile banking “trojan” virus – SOVA – which can stealthily encrypt an Android phone for ransom and is difficult to uninstall, is targeting Indian customers.
SOVA used to focus on countries like the US, Russia and Spain, but in July 2022 it added several other countries, including India, to its target list.
India’s Federal Cybersecurity Agency issued an advisory stating that the virus has been updated to its fifth version after it was first detected in Indian cyberspace in July.
“CERT-In has been reported that Indian banking customers are being targeted by a new breed of mobile banking malware campaign using the SOVA Android Trojan. The first version of this malware was put up for sale on underground markets in September 2021 with the ability to harvest usernames and passwords via key-logging, stealing cookies and adding fake overlays to a number of apps,” the advisory said.
Here’s everything you need to know about SOVA virus
SOVA can add fake overlays to a number of apps and “mimic” over 200 banking and payment applications to fool the Android user
Latest version of this malware hides in fake Android applications that appear with logo of some famous legitimate apps like Chrome, Amazon, NFT platform (non-fungible token linked to crypto currency) to trick users into installation.
The Indian Computer Emergency Response Team or CERT-In is the federal technology arm to counter cyber attacks and protects the internet space from phishing and hacking attacks and similar online attacks. Like most Android banking Trojans, the malware is distributed via smishing attacks (phishing via SMS), the agency said.
The lethality of the virus can be gauged from its ability to collect keystrokes, steal cookies, intercept Multi-Factor Authentication (MFA) tokens, capture screenshots and videos from a webcam, and perform gestures like screen click, swipe, etc. Android accessibility service.
Another key feature of the virus, according to Advisory, is the redesign of its “Protection” module, which aims to protect itself from various victim actions. For example, if the user tries to uninstall the malware from settings or press the icon, SOVA can intercept and prevent these actions by returning to the home screen and displaying a toast (small popup) saying “This app is secured”.
It can compromise the privacy and security of sensitive customer data and lead to “large scale” attacks and financial fraud.
How does it work
As per the recommendation, once installed on the phone, the fake Android application sends the list of all the applications installed on the device to the C2 (Command and Control Server) controlled by the attacker in order to get the list of the targeted applications.
“At this point, the C2 sends the list of addresses for each targeted application back to the malware and stores this information in an XML file. These target applications are then managed through the communication between the malware and the C2.
To protect your Android device:
The CERT-In suggested some countermeasures and best practices that users can implement to protect themselves from the virus.
Users should reduce the risk of downloading potentially harmful apps by limiting their download sources to official app stores, such as INFORMATION,” it said.
One should also review app permissions and only grant those that have relevant context for the purpose of the app.
They should install regular Android updates and patches and not surf untrustworthy websites or follow untrustworthy links and exercise caution when clicking on the link contained in unsolicited emails and SMS.
Get all the business news, market news, breaking news and latest news updates on Live Mint. Download the Mint News app for daily market updates.
More less
Post your comment
