“This malware captures the credentials when users log into their net banking apps and access bank accounts,” CERT-IN said. The malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans
The Union government has warned that Indians are being targeted by a new type of mobile banking malware campaign using ‘SOVA Android Trojan’ (file type .apk) which can cause “large-scale attacks and financial frauds” besides having the capability to encrypt all data on an Android phone and hold it to ransom.
The Indian Computer Emergency Response Team (CERT-In) which is the country’s cyber security nodal agency under the Ministry of Electronics and Information Technology (MeitY) has issued an advisory stating that the malware is targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets.
What is SOVA Android Trojan?
The first version of SOVA Android Trojan malware appeared on sale in underground markets in September 2021 with the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps, CERT-In said.
Also read: 37K cybercrime complaints in Haryana till Aug, 15K disposed of
SOVA was earlier focusing on countries like USA, Russia and Spain, but in July 2022 it added several other countries, including India, to its list of targets, it said.
According to reports, SOVA was first announced in September 2021, and SOVA means owl in Russian.
“This name was chosen by the threat actor himself/herself possibly because of owl’s nature as nocturnal birds of prey, quiet but efficient in stalking and capturing their victims,” The Netherlands-based company ThreatFabricwhich provides solutions to banks to fight cyberattacks and help run a secure mobile payments business, said.
Why it is deadly
“The latest version of this malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT platform to deceive users into installing them. This malware captures the credentials when users log into their net banking apps and access bank accounts,” CERT-IN explained.
Also read: CyberX9 says data of 20 million postpaid customers of Vodafone Idea exposed
As per reports, the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans.
Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (Command and Control server) controlled by the threat actor in order to obtain the list of targeted applications.
At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2.
The malware’s list of functions includes the ability to collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam, perform gestures like screen click, swipe etc. using android accessibility service, copy/paste, adding false overlays to a range of apps, and mimic over 200 banking and payment applications, CERT-In said.
Also read: Malware in 5 phones, no conclusive proof of Pegasus spyware: SC panel
“The makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the ability to encrypt all data on an android phone and hold it to ransom. Another key feature of SOVA is the refactoring of its ‘protections’ module, which aims to protect itself from different victims’ actions,” it added.
For example, if the user tries to uninstall the malware from the settings or by pressing the icon, SOVA is able to intercept these actions and prevent them (through the abuse of the accessibility) by returning to the home screen and showing a toast (small popup) displaying “This app is secured”.
“These attack campaigns can effectively jeopardize the privacy and security of sensitive customer data and result in large-scale attacks and financial frauds,” the nodal agency warned.
What do you need to do to protect yourself?
Download apps from official app stores.
Prior to downloading/installing apps on android devices (even from Google Play Store), always review the app details, number of downloads, user reviews, comments and “additional information” section.
Verify app permissions and grant only those permissions which have relevant context for the app’s purpose.
Also read: Over 100% increase in cyber crime in Delhi during 2020-21
Do not check the “untrusted sources” checkbox to install side-loaded apps.
Install Android updates and patches as and when available from Android device vendors.
Do not browse untrusted websites or follow untrusted links.
Do not click links provided in any unsolicited emails and SMSes.
Look for suspicious numbers that don’t look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone numbers.
Genuine SMS messages from banks usually contain the sender id (bank’s name) instead of a phone number.
Install and maintain updated anti-virus antispyware software.
Also read: Cyber attacker demands ₹57 Cr ransom from Oil India
Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users should hover their cursors over the shortened URLs to see the full website domain which they are visiting or use an URL checker that will allow users to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
Look out for valid encryption certificates by checking for the green lock in the browser’s address bar before providing any sensitive information such as personal, or account login details.
These are the best practices one should follow to prevent themselves from malware attacks, CERT-IN said.