The Indian Computer Emergency Response Team (CERT-In) reported that the SOVA Android Trojan, a new mobile banking malware campaign, targeted Indian banking customers. In an advisory issued on September 10, CERT-In, the nodal body for cybersecurity issues, stated that the first version of the malware would be available in underground markets in September 2021.
The SOVA Android banking trojan is still actively being developed, with upgraded capabilities to target no less than 200 mobile applications, including banking apps, crypto exchanges, and wallets, up from 90 apps when it first appeared.
According to the latest findings from the Italian cybersecurity firm Cleafy, newer versions of the malware can intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to include Australia, Brazil, China, the UK, the Philippines, and recently India.
How it is Spread
According to the agency, the malware, like most Android banking Trojans, is distributed via smishing (phishing via SMS) attacks. Once the fake Android application is installed on the phone, it sends a list of all applications installed on the device to the threat actor’s C2 [command and control server] to procure the list of targeted applications. At this point, the C2 sends the malware a list of addresses for each targeted application, which it stores in an XML file. These targeted applications are then managed via communications between the malware and the C2.
Effects on devices
The virus’s lethality can be determined by the fact that it can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots, record video from a webcam, and perform gestures such as screen click, swipe, and so on using the Android accessibility service.
It was discovered that the creators of SOVA recently upgraded it to its fifth version since its inception. This version can encrypt all data on an Android phone and holds it to ransom. It can also add false overlays to a variety of apps and “mimic” over 200 banking and payment apps to deceive Android users.
According to the advisory, another critical feature of the virus is the refactoring of its “protections” module, which aims to protect itself from various victim actions.
For example, suppose the user tries to delete the virus through the settings or by touching the icon. SOVA can intercept and block these operations in that case by returning to the home screen and presenting a popup indicating “This app is protected.”.
According to the report, these assault operations can effectively jeopardize the privacy and security of critical client data, resulting in “Big scale” attacks and financial scams.
Specific Counter-measures and best practices that users may adopt to keep themselves safe from the infection have been issued, including:
Limit and avoid downloading from sketchy and unknown sources: Users should limit their download sources to official app shops, such as the device’s manufacturer or operating system app store, and they should always examine the app description, the number of downloads, user reviews, comments, and “Additional Information” section.
Permission to the app should be granted only in relation to its purpose: Users should additionally validate app permissions and allow only those relevant to the app’s purpose.
Regularly Install Android updates and patches: Users should install regular Android updates and patches, avoid visiting unknown websites or clicking on unknown links, and take caution when clicking on links in unsolicited emails and SMSs.
This is one of the recent instances of a new breed of cyber threats plaguing consumers as we delve further into this digital realm. Hence netizens must learn and educate themselves about cyber hygiene and their role in healthy and safe cyberspace.
Author: Shrey Madaan, Research Associate, CyberPeace Foundation