The Indian Computer Emergency Response Team (CERT-In), the country's cyber security agency, has a warning for all those who use their smartphones for banking. In an advisory, CERT-In said a new mobile banking 'Trojan' virus, SOVA, which can stealthily encrypt an Android phone for ransom and is hard to uninstall is targeting Indian customers.
The virus has the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps. The hackers, who had let loose this the virus, were earlier focusing on countries like the USA, Russia and Spain, but in July 2022 it added several other countries, including India, to its list of targets.
This virus is said to capture the credentials when users log into their net banking apps and access bank accounts. These attack campaigns can effectively jeopardize the privacy and security of sensitive customer data and result in large scale attacks and financial frauds, CERT-In, which comes under the IT Ministry, said.
The virus targets these apps
The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. "The latest version of this malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT platform to deceive users into installing them," the CERT-In advisory said.
The malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans. Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (Command and Control server) controlled by the threat actor in order to obtain the list of targeted applications.
The malware can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam perform gestures like screen click, swipe etc. using android accessibility service, copy/paste and mimic over 200 banking and payment applications, the cyber security agency warned.
How to stay safe from this attack?
CERT-In added that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the capability to encrypt all data on an Android phone and hold it to ransom.
The agency advised the public to reduce the risk of downloading potentially harmful apps by limiting the download sources to official app stores. Also, prior to downloading/installing apps on android devices, review the app details, number of downloads, user reviews, comments and 'Additional Information' section. Verify app permissions and grant only those permissions which have relevant context for the app's purpose. Install Android updates and patches as and when available from Android device vendors, CERT-In said.
In general, do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs. Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Do extensive research before clicking on link provided in the message. Users should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions.
