New mobile banking virus 'Sova' targets Indian users

A new mobile banking 'Trojan' virus Sova can stealthily encrypt an Android phone for ransom and is targeting Indian customers, the country's federal cyber security agency CERT-In (Computer Emergency Response Team) said in its latest advisory. 

The first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest user names and passwords via key logging, stealing cookies and adding false overlays to a range of apps,” the advisory said. 

The virus has upgraded to its fifth version after it was first detected in the Indian cyberspace in July 2022, it said. Earlier it included countries like the US, Russia and Spain to its list of target.

The latest version of this malware, according to CERT-in, hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT (non-fungible token linked to crypto currency) platform to deceive users into installing them. “This version has the capability to encrypt all data on an Android phone and hold it to ransom,” it said. 

“This malware captures the credentials when users log into their net banking apps and access bank accounts. The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets,” the advisory said. 

"Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the command-and-control server (C2) controlled by the threat actor in order to obtain the list of targeted applications." 

"At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2," it said. 

The lethality of the virus can be gauged from the fact that it can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam and can perform gestures like screen click, swipe etc. using android accessibility service and also add false overlays to a range of apps and "mimic" over 200 banking and payment applications in order to con the Android user. 

“Mostly, the malware is side loaded from non-play store mediums, and an overlay screen hides the actual screen from the victim,” said Manish Mimani, CEO of Protectt.ai, a mobile security company, which has been studying the impact of this virus. He added that these attack campaigns can effectively jeopardise the privacy and security of sensitive customer data and result in "large-scale" attacks and financial frauds. 

As counter measure, he suggested that a "runtime self-protection solution that prevents screenshots, detects screen overlays and identifies accessibility permission divergence through device policy enforcement, can work to thwart such kind of Malware Threats". 

CERT-in has also warned users to always pay attention to the app details, number of downloads, user reviews, comments and other information section, it said. 

“At the same time, users should install regular Android updates and patches and not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited messages and emails,” it said.