Following CERT-In’s advice, several Indian banks including HDFC Bank and IDBI Bank have warned their customers not to download their mobile applications from sources other than the official app stores.
A new version of the Trojan horse virus, SOVA, has reportedly targeted over 200 mobile banking and crypto apps, stealing their credentials and cookies.
The virus can encrypt user’s Android phone for ransom.
“CERT-In has been reported that Indian banking customers are being targeted by a new type of mobile banking malware campaign using the Android Trojan SOVA,” CERT-In said.
What is SOVA?
SOVA is an Android banking Trojan that targets banking apps to steal personal information and adds fake layers to a number of apps. The layers help the malware mimic the payment app.
The malware was first discovered for sale on underground markets in September 2021. According to CERT-In, it was able to “harvest usernames and passwords via keylogging, steal cookies, and add fake overlays to a number of apps.”
The virus was mainly concentrated in the USA, Russia and Spain. However, by July 2022 it had added more countries, including India, to its list.
The malware spreads via files ending in “.apk”.
How does SOVA work?
According to CERT-In, the malware spreads through smishing. Smishing is a process of sending fraudulent SMS to people asking them to share their information, including passwords.
Once the app is downloaded on the phone, the malware sends the list of all downloaded apps to the server controlled by the attacker.
The server sends the list of targeted apps back to the malware and saves the critical information in an XML file. The malware and server then manage the apps.
What can the SOVA virus do?
There are several functions that an SVA malware can perform. These include performing gestures like swiping, stealing cookies, taking screenshots, and adding fake overlays.
The virus has also received an update. Now it can encrypt all data and hold for ransom.
One of the most important updates is the “Protections” module. Now when a user tries to uninstall an app that the virus has attacked, they are unable to do so. The message “This app is secured” will appear on the screen.
What can users do to protect themselves?
The most important step is to download the apps only through official app stores. Another step is to check the Additional Information section while downloading the apps and check the app details, download count and user ratings.
Another practice recommended by CERT-In is to download the latest updates to the apps and operating software provided by device manufacturers. Also, download and enable antivirus software.
“Do not browse untrustworthy websites or follow untrustworthy links and be cautious when clicking on the link contained in unsolicited emails and SMS,” CERT-In’s notification reads.
Also, users were advised to only click on the URLs that point to a legitimate website. Users must also keep the firewall turned on.
Finally, users were also asked to immediately report any unusual activity on the bank accounts to the relevant bank.