This dangerous new malware now also packs ransomware to lock your Android phone

Two people texting on smartphones
(Image credit: Pixabay)

A new strain of dangerous ransomware has evolved to target Android devices, researchers are warning. 

Experts from Cleafy have analyzed the fifth and latest version of the popular Android banking trojan SOVA, and discovered multiple new features, including the ability to encrypt locally stored files. 

According to the researchers, the malware uses AES encryption to add the .enc extension to all files and prevent the user from accessing them. 

Developing the trojan

"The ransomware feature is quite interesting as it's still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data," Cleafy says.

The fifth version of the trojan is not fully developed, the researchers added, but warned it is nevertheless ready for mass deployment. 

SOVA’s owners have been aggressively developing their product for the past couple of months. So far this year, the tool has seen numerous new tools introduced, including two-factor authentication interception, as well as new injections for multiple global banks. It has also seen virtual network computing (VNC) capabilities for on-device fraud. This feature, however, still seems to be under construction.

SOVA is currently capable of targeting more than 200 banks worldwide, as well as numerous cryptocurrency exchanges, and digital wallets. It is capable of taking screenshots, performing taps and swipes, stealing files from compromised endpoints, and adding overlay screens for various apps. It can also steal cookies froM Gmail, Gpay, as well as Google Password Manager.

So far, ransomware was only reserved for desktop devices and servers, as its operators were mostly interested in targeting companies and corporations. It seems as the threat actors are looking to diversify, as businesses get better at protecting their premises and keeping airgapped backups. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.