A new mobile banking “Trojan” virus – SOVA – that can secretly encrypt an Android phone for ransom and is difficult to uninstall, targets Indian customers, the country’s federal cybersecurity agency said in his last notice.
The virus has advanced to its fifth version after it was first detected in Indian cyberspace in July, he said.
“It is reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using the SOVA Android Trojan. The first version of this malware appeared on sale in underground markets in September 2021 with the ability to collect usernames and passwords via key registration, theft of cookies, and adding fake overlays to a wide range of applications, “the warning said. .
SOVA, he said, had previously focused on countries like the United States, Russia and Spain, but in July 2022, it added many more countries, including India, to its target list.
The latest version of this malware, according to the warning, hides in fake Android apps that appear with the logo of some popular legitimate apps like Chrome, Amazon, NFT platform (non-fungible token related to cryptocurrency) to trick users into installing them. .
“This malware acquires credentials when users log into their online banking applications and log into bank accounts. The new version of SOVA appears to be targeting over 200 mobile apps, including banking apps and crypto exchanges / wallets, ”the notice reads.
The Indian Computer Emergency Response Team or CERT-In is the federal technology branch for fighting cyber attacks and protecting the Internet space from phishing and hacking attacks and similar online attacks.
The agency said the malware is distributed via smishing attacks (SMS phishing), like most Android banking Trojans.
“Once installed on the phone, the fake Android app sends the list of all apps installed on the device to the C2 (command and control server) controlled by the threat actor to get the list of targeted apps.”
“At this point, the C2 returns the list of addresses for each targeted application to the malware and stores this information in an XML file. These targeted applications are then handled through the communications between the malware and C2, “she said.
The lethality of the virus can be measured by the fact that it can collect keystrokes, steal cookies, intercept multi-factor authentication tokens (MFA), take screenshots and record video from a webcam, and can perform gestures such as tapping the screen, swiping, etc. . Android accessibility service.
It can also add fake overlays to a range of apps and “mimic” more than 200 banking and payment apps to scam the Android user.
“It has been found that the makers of SOVA have recently updated it to its fifth version since its inception, and this version has the ability to encrypt all data on the Android phone and hold it for a ransom,” he said.
Another key feature of the virus, according to the notice, is the refactoring of its “protections” module, which aims to protect against the various actions of victims.
For example, it says, if the user tries to uninstall the malware from the settings or by pressing the icon, SOVA is able to intercept these actions and prevent them by returning to the home screen and displaying a toast (small popup) showing “This application is safe”.
These attack campaigns can effectively compromise the privacy and security of sensitive customer data and lead to “large-scale” attacks and financial fraud, he said.
The agency has also suggested some countermeasures and best practices that users can implement to protect themselves from the virus.
Users should reduce the risk of downloading potentially malicious apps by limiting their download sources to official app stores, such as the device manufacturer or the operating system’s app store. They should always check the app details, number of downloads, user reviews, comments and the “ADDITIONAL INFORMATION section,” she said.
It’s also worth checking the app permissions and only granting those that have context relevant to the app’s purpose.
They should install regular Android updates and patches and not browse untrustworthy websites or follow untrustworthy links and be careful when clicking on the link provided in unsolicited emails and SMS.
–