In its most recent advisory, the central government’s cyber security agency stated that a new mobile banking ‘Trojan’ virus, SOVA, which can secretly encrypt an Android phone for ransom and is difficult to erase, is targeting Indian users. The virus has been upgraded to its fifth version after being discovered in Indian cyberspace in July. According to the Indian Computer Emergency Response Team or CERT-In, the federal technology arm that combats cyber attacks and protects the Internet space from phishing and hacking assaults and other online attacks.
As per the advisory, “it has been reported to CERT-in that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan. The first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest user names and passwords via key loggings, stealing cookies and adding false overlays to a range of apps.
Furthermore, SOVA formerly focused on nations such as the United States, Russia, and Spain, but in July 2022 it added numerous other countries, including India, to its list of targets. According to news agency PTI, the latest version of this malware hides itself within fake Android applications that appear with the logo of a few well-known legitimate apps such as Chrome, Amazon, and the NFT (non-fungible token linked to crypto currency) platform to trick users into installing them.
“This malware captures the credentials when users log into their net banking apps and access bank accounts. The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets,” the advisory additionally said.
The agency said the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans, adding “once the fake Android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor in order to obtain the list of targeted applications”.”
“At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2,” it said.