A new mobile banking virus is out there faking logo of popular apps like Chrome or Amazon and deceiving people into installing them. As informed by the country’s federal cyber security agency in its latest advisory, this new mobile banking Trojan virus -SOVA- can secretively encrypt an Android phone for ransom and is hard to uninstall.
According to the advisory, the new Trojan virus has upgraded to its fifth version after it was first detected in Indian cyberspace in July. The first version of the virus went or sale in the underground markets, last year in September 2021 when it could harvest usernames and passwords via keylogging, steal cookies and add false overlays to a range of apps.
It also said that SOVA was earlier active in the US, Russia, and Spain – however, in July 2022, it added several other countries to its list – including India.
The latest version of the virus hides within fake Android apps imitating the logo of popular and trusted apps like Chrome, Amazon, and NFT platforms to deceive users into installing the virus on phones. The advisory further added that this malware captures the credentials when users log in to the net banking apps and access bank accounts. The new version of the SOVA virus seems to be targeting more than 200 mobile applications, including several banking apps and crypto exchanges/wallets.
The malware is dispersed via smishing (i.e., phishing via SMS) attacks, like most Android banking Trojans, Indian Computer Emergency Response Team (CERT-In) said. Explaining the modus operandi of the virus, it says that the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans. “Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor in order to obtain the list of targeted applications.”
It further explained that at this point, the C2 sends back to the malware the list of addresses for each targeted app and stores this information inside an XML file. These targeted apps are then managed through the communications between the malware and the C2.
Such attack campaigns can effectively put one’s privacy and security at risk and as a result, it may deliver “large-scale” attacks and financial frauds, the agency said.
CERT-In suggests some counter-measures and best practices that can keep the users safe from the Trojan.
Users should reduce the risk of downloading potentially harmful apps by limiting their download sources to official app stores, like Google Play Store or the device manufacturer’s app store, or, one should always review the app’s details, the number of downloads, user reviews, and additional information section, it said.
One should also verify app permissions and grant only those which are in a relevant context for the app’s purpose.
One should also install regular Android updates and patches and strain away from browsing untrusted websites and be cautious while clicking on the link provided in any unsolicited SMSs or Emails.
