CERT-In has informed about a new mobile banking malware campaign using the Android Trojan SOVA, which is attacking more than 200 mobile apps.
Indian bank customers are being targeted by a new breed of mobile banking malware campaign using Android Trojan SOVA, India’s Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology said in its latest report. SOVA used to focus on countries like the US, Russia and Spain, but since July 2022 has also added India to its list of targets along with several other countries, the agency said. Latest version of this malware hides in fake Android apps which are displayed with logo of some famous legitimate apps like Chrome, Amazon, NFT platform to trick users into installation.
The new version of SOVA malware targets more than 200 mobile applications, including banking apps and crypto exchanges/wallets. The malware collects credentials when users log into their net banking apps and access bank accounts. According to reports, like most Android banking Trojans, the malware is distributed via smishing attacks (phishing via SMS). Once the fake Android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the attacker to get the list of targeted applications,” said CERT- In.
It further added: “At this point, the C2 sends the list of addresses for each targeted application back to the malware and stores this information in an XML file. These target applications are then managed through the communication between the malware and the C2.”
Feature list of SOVA malware
The malware’s list of features includes the ability to collect keystrokes, steal cookies, intercept Multi-Factor Authentication (MFA) tokens, capture screenshots and videos from a webcam, perform gestures like screen click, swipe, etc. using the Android accessibility service , copy/paste, add fake overlays to a range of apps, mimic over 200 banking and payment apps.
“It was discovered that the makers of SOVA recently upgraded it to its fifth version since its launch, and this version has the ability to encrypt all data on an Android phone and hold it for ransom,” the statement reads Report. Another key feature of the virus, according to the report, is the redesign of its “Protection” module, which aims to protect itself from various victim actions.
For example, if the user tries to uninstall the malware via settings or by pressing the icon, SOVA can intercept and prevent these actions by returning to the home screen and displaying a toast (small popup) with the message “This app is secured.” it said.
These attack campaigns can effectively compromise the privacy and security of sensitive customer data, leading to large-scale attacks and financial fraud.
How to protect yourself from the virus
CERT-In also suggested some best practices that can be used to protect against the virus. Measures include: Reduce the risk of downloading potentially harmful apps by restricting their download sources to official app stores such as the app store of the manufacturer or your device’s operating system, check app details, number of downloads, user ratings , Comments and “ADDITIONAL INFORMATION”. ” section and more.
Review app permissions and only grant those that have relevant context for the purpose of the app. Install Android updates and patches, among other things, and browse non-untrustworthy