The CERT-In has informed about a new mobile banking malware campaign using SOVA Android Trojan that is attacking more than 200 mobile apps.
The Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan, the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology informed in its latest report. SOVA was earlier focusing on countries like the USA, Russia, and Spain, however, since July 2022 it added India too along with several other countries in its list of targets, the agency informed. The latest version of this malware hides itself within fake Android apps that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT platform to deceive users into installing them.
The new version of SOVA malware is targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. The malware captures the credentials when the users log into their net banking apps and access bank accounts. “As per the reports, the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans. Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor in order to obtain the list of targeted applications,” CERT-In said.
It further added, “At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2.”
SOVA malware’s list of functions
The malware’s list of functions includes the ability to collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam, perform gestures like screen click, swipe etc. using Android accessibility service, copy/paste, adding false overlays to a range of apps, mimic over 200 banking and payment applications.
“It has been discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the capability to encrypt all data on an Android phone and hold it to ransom,” the report said. Another key feature of the virus, according to the report, is the refactoring of its “protections” module, which aims to protect itself from different victim actions.
For example, if the user tries to uninstall the malware from the settings or pressing the icon, SOVA is able to intercept these actions and prevent them by returning to the home screen and showing a toast (small popup) displaying “This app is secured,” it said.
These attack campaigns can effectively jeopardise the privacy and security of sensitive customer data and result in large-scale attacks and financial frauds.
How to stay safe from the virus
CERT-In also suggested some best practices that can used to stay safe from the virus. The measures include- reduce the risk of downloading potentially harmful apps by limiting their download sources to official app stores, such as your device’s manufacturer or operating system app store, review the app details, number of downloads, user reviews, comments and “ADDITIONAL INFORMATION” section, and more.
Verify app permissions and grant only those which have relevant context for the app’s purpose. Install Android updates and patches and not browse un-trusted, among others