New mobile banking virus prowling in Indian cyberspace


A new mobile banking ‘Trojan’ virus, SOVA, which can stealthily encrypt an Android phone for ransom and is hard to uninstall, is targeting Indian customers, the country’s federal cyber security agency said in its latest advisory.

The virus has upgraded to its fifth version after it was first detected in Indian cyberspace in July, it said.

“It has been reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan. The advisory said that the first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest user names and passwords via keylogging, steal cookies, and add false overlays to a range of apps,” the advisory said.

SOVA, it said, was earlier focusing on countries like the US, Russia, and Spain, but in July 2022, it added several other countries, including India, to its list of targets.

According to the advisory, the latest version of this malware hides within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, and NFT (non-fungible token linked to cryptocurrency) platform to deceive users into installing them.

“This malware captures the credentials when users log into their net banking apps and access bank accounts. The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets,” the advisory said.

The Indian Computer Emergency Response Team, or CERT-In, is the federal technology arm to combat cyber attacks and guards the Internet space against phishing and hacking assaults and similar online attacks.

The agency said the malware is distributed via smishing (phishing via SMS) attacks, like most Android banking Trojans.

“Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor to obtain the list of targeted applications.”

“At this point, the C2 sends the list of addresses for each targeted application to the malware and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2,” it said.

The lethality of the virus can be gauged from the fact that it can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam and can perform gestures like screen click, swipe, etc. using android accessibility service.

It can also add false overlays to a range of apps and “mimic” over 200 banking and payment applications to con the Android user.

“It has been discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version can encrypt all data on an Android phone and hold it to ransom,” it said.

Another key feature of the virus, according to the advisory, is the refactoring of its “protections” module, which aims to protect itself from different victim actions.

For example, it said, if the user tries to uninstall the malware from the settings or by pressing the icon, SOVA can intercept these actions and prevent them by returning to the home screen and showing a toast (small popup) displaying This app is secured.

These attack campaigns can effectively jeopardize the privacy and security of sensitive customer data and result in “large-scale” attacks and financial frauds, it said.

The agency also suggested some counter-measures and best practices that can be put into action by the users to keep safe from the virus.

Users should reduce the risk of downloading potentially harmful apps by limiting their download sources to official app stores, such as your device’s manufacturer or operating system app store, they should always review the app details, the number of downloads, user reviews, comments and “ADDITIONAL INFORMATION” section, it said.

One should also verify app permissions and grant only those which have relevant context for the app’s purpose.

They should install regular Android updates and patches, not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.


Please enter your comment!
Please enter your name here