The Indian Computer Emergency Response Team (CERT-In), the country’s cyber security agency, is warning anyone using their smartphone for banking. In an advisory, CERT-In said a new mobile banking “trojan” virus, SOVA, which can secretly encrypt an Android phone for ransom and is difficult to uninstall, is targeting Indian customers.
The virus has the ability to collect usernames and passwords via keylogging, steal cookies and add fake overlays to a number of apps. The hackers who spread this virus used to focus on countries like the US, Russia, and Spain, but in July 2022, they added several other countries, including India, to their list of targets.
This virus aims to capture credentials when users log into their net banking apps and access bank accounts. These attack campaigns can effectively compromise the privacy and security of sensitive customer data, leading to large-scale attacks and financial fraud, said CERT-In, which reports to the IT ministry.
The virus targets these apps
SOVA’s new version seems to target more than 200 mobile applications, including banking apps and crypto exchanges/wallets. “The latest version of this malware hides in fake Android applications that appear with logo of some famous legitimate apps like Chrome, Amazon, NFT platform to trick users into installing them,” the CERT-In states -Advisory.
Like most Android banking Trojans, the malware is distributed via smishing attacks (phishing via SMS). Once installed on the phone, the fake Android application sends the list of all the applications installed on the device to the C2 (Command and Control Server) controlled by the attacker to get the list of the targeted applications.
The malware can collect keystrokes, steal cookies, intercept Multi-Factor Authentication (MFA) tokens, take screenshots and record videos from a webcam, perform gestures like screen click, swipe, etc. using Android accessibility service, copy/paste and over 200 banking transactions mimic and payment applications, the Cybersecurity Agency warned.
How to protect yourself from this attack?
CERT-In added that the makers of SOVA recently updated it to its fifth version since its launch, and this version has the ability to encrypt all data on an Android phone and hold it for ransom.
The agency advised the public to reduce the risk of downloading potentially harmful apps by limiting download sources to official app stores. Also, before downloading/installing apps on Android devices, check the app details, number of downloads, user ratings, comments and “Additional Information” section. Review app permissions and only grant those permissions that have relevant context for the purpose of the app. Install Android updates and patches as they become available from Android device vendors, CERT-In said.
In general, do not surf untrustworthy websites or follow untrustworthy links and be careful when clicking on the link contained in unsolicited emails and SMS. Look for suspicious numbers that don’t look like real cell phone numbers. Scammers often hide their identities by using email-to-text services to avoid revealing their actual phone number. Do extensive research before clicking the link provided in the message. Users should immediately report any unusual activity on their account to the relevant bank with the relevant details for further appropriate action.
