The Indian Computer Emergency Response Team (CERT-In), the country’s cybersecurity agency, has a warning for all those who use their smartphones for banking. In a statement, CERT-In said that a new mobile banking ‘Trojan’ virus, SOVA, which can stealthily encrypt an Android phone for ransom and is difficult to uninstall, is targeting Indian customers.
The virus has the ability to collect usernames and passwords through keylogging, steal cookies and add fake overlays to various apps. The hackers, who unleashed the virus, were previously targeting countries like the US, Russia, and Spain, but in July 2022 it added several other countries, including India, to its target list.
This virus is said to capture the credentials when users log into their network banking apps and access bank accounts. These attack campaigns can effectively compromise the privacy and security of sensitive customer data and result in large-scale attacks and financial fraud, said CERT-In, which belongs to the IT Ministry.
The virus targets these apps
The new version of SOVA appears to be targeting over 200 mobile apps, including banking apps and cryptocurrency exchanges/wallets. “The latest version of this malware hides in fake Android apps that appear with the logo of some famous legitimate apps like Chrome, Amazon, NFT platform to trick users into installing them,” the CERT-In statement said.
Malware is distributed via smishing (SMS phishing) attacks, like most Android banking Trojans. After the fake Android app is installed on the phone, it sends the list of all apps installed on the device to the C2 (command and control server) controlled by the threat actor to get the list of targeted apps.
Malware can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam, perform gestures such as clicking on the screen, swiping, etc. Using Android’s accessibility service, copy/paste and imitate more than 200 bank and payment apps, the cybersecurity agency warned.
How to protect yourself from this attack?
CERT-In added that SOVA makers have recently updated it to its fifth version from the ground up, and this version has the ability to encrypt all data on an Android phone and hold it for ransom.
The agency advised the public to reduce the risk of downloading potentially harmful apps by limiting download sources to official app stores. Also, before downloading/installing apps on Android devices, please review the app details, number of downloads, user ratings, comments and the ‘Additional Information’ section. Check the app’s permissions and grant only those permissions that have context relevant to the app’s purpose. Install Android updates and patches as and when available from Android device vendors, said CERT-In.
In general, do not browse untrustworthy websites or follow untrustworthy links and be careful when clicking on the provided link in unsolicited emails and SMS. Look for suspicious numbers that don’t look like real cell phone numbers. Scammers often mask your identity using email-to-text services to avoid revealing your real phone number. Please do extensive research before clicking on the link provided in the message. Users should report any unusual activity on their account immediately to the respective bank with the relevant details in order to take further appropriate action.