The Centre has advised Indian mobile banking users to be cautious against a ‘Trojan’ virus which is difficult to uninstall can covertly encrypt an Android phone for ransom.It has potential to jeopardise sensitive customer data and result in “large-scale” financial frauds.The advisory was released on September 10 by Computer Emergency Response Team( CERT-In), the nodal agency under the union ministry of Electronics and Information Technology working to tackle cyber security threats.It informed, “It has been reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan.”The advisory stated that the first version of the malware was found being sold illegally in September 2021.Then it had ability to get user names and passwords through key logging, stealing cookies and adding false overlays to a range of apps.It initially targeted only few countries like US, Russia and Spain, however in July 2022 India too came in the list.The malware has upgraded itself to fifth version, according to the advisory, hiding itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT (non-fungible token linked to crypto currency) platform to cheat users into installing them.The advisory from CERT-In warns that the upgraded SOVA is now targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets.
It spreads by fraudulent messages and once in device, it records the information of users at the time of login to net banking apps.”Once the fake android application is installed on the phone, it sends the list of all applications installed on the device to the C2 (command and control server) controlled by the threat actor in order to obtain the list of targeted applications,” CERT-In informed.”At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file.These targeted applications are then managed through the communications between the malware and the C2.”The malware is so powerful that it can capture keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots and record video from a webcam and can perform gestures like screen click, swipe etc.with the use android accessibility service.To hide itself it can also add pseudo overlays to a range of apps and replicate over 200 banking and payment applications.It incorporates different ways to self-protect.
If the user tries to uninstall the malware from the settings or pressing the icon, SOVA is able to catch these actions and prevent victim user by returning them to the home screen and shows a small popup reading “This app is secured”.How to secure your device ?The agency advised some counter measures to lessen the vulnerability from the virus.Users should be cautious while downloading app.It is best practice to download from official app stores – device’s manufacturer or operating system app store.There too the users must check the app details, number of downloads, user reviews, comments and “ADDITIONAL INFORMATION” section.Only relevant permissions should be granted to app.Keep your smartphone updated to the latest Android updates and patches.Do not open un-trusted websites or follow un-trusted links.While clicking on the link provided in any unsolicited emails and SMSs, take utmost attention..
