Anew mobile banking ‘Trojan’ virus — SOVA — which can stealthily encrypt an Android phone for ransom and is hard to uninstall is targeting Indian customers, the country’s federal cyber security agency said in its latest advisory.
The virus has upgraded to its fifth version after it was first detected in the Indian cyberspace in July, it said.
Check Key Updates From The Advisory:
- CERT-In has been reported that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan.
- The first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest user names and passwords via key logging, stealing cookies and adding false overlays to a range of apps
- SOVA, it said, was earlier focusing on countries like the US, Russia and Spain, but in July 2022 it added several other countries, including India, to its list of targets.
- The latest version of this malware, according to the advisory, hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT (non-fungible token linked to crypto currency) platform to deceive users into installing them.
- This malware captures the credentials when users log into their net banking apps and access bank accounts.
- The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets
- The Indian Computer Emergency Response Team or CERT-In is the federal technology arm to combat cyber-attacks and guards the Internet space against phishing and hacking assaults and similar online attacks.
- The agency said the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans.
“Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor in order to obtain the list of targeted applications.”
“At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2,” it said.