What Is Sova Virus? All You Need To Know About The New Mobile Banking Virus

According to CERT-In, a new mobile banking virus called the Sova virus has been discovered in India. The advisory talks about all that you need to know about the virus.

Indian clients are the target of the new mobile banking “Trojan” virus SOVA, which may secretly encrypt an Android phone for ransom and is difficult to remove.

Initially focusing on nations including the US, Russia, and Spain, SOVA expanded its scope in July 2022 to include a number of other nations, including India.

After being discovered for the first time in Indian cyberspace in July, the virus has now been upgraded to its fifth form, according to an advisory from India’s central cyber security agency.

“It has been reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan. The first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest user names and passwords via key logging, stealing cookies and adding false overlays to a range of apps,” the advisory said.

In order to deceive the Android user, SOVA can “mimic” over 200 banking and payment applications and add fake overlays to a variety of apps.

In order to trick users into installing them, the most recent iteration of this malware disguises itself within totally fake Android applications that display the logo of a select number of well-known legitimate apps, including Chrome, Amazon, and NFT (non-fungible token linked to crypto currency) platform.

The federal technological arm to battle cyberattacks and protect the Internet against phishing and hacking attacks, among other online assaults, is the Indian Computer Emergency Response Team, or CERT-In. The organisation claimed that, like the majority of Android banking Trojans, the software is spread through smishing (phishing via SMS) attacks.

The virus’s deadly capabilities include the ability to capture screenshots, record video from a webcam, intercept multi-factor authentication (MFA) tokens, collect keystroke data, swipe, click, and other gestures utilising the android accessibility service.

The refactoring of the virus’s “protections” module, which seeks to shield itself from various victim behaviours, is described in the advisory as another important feature. For instance, it stated that if the user tries to remove the virus through the settings or by touching the icon, SOVA is able to stop them by returning to the home screen and presenting a toast (little popup) stating “This app is secured.”

It may put critical consumer data’s privacy and security at danger, lead to “large-scale” attacks, and encourage financial fraud.

How does it work

The fake Android application sends the list of all installed apps to the C2 (command and control server) controlled by the threat actor once it has been installed on the phone, according to the alert, in order to collect the list of targeted apps.

“At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2,” it said.

How to protect your Android device:

The CERT-In offered various preventative measures and recommended practises that users can adopt to stay protected from the virus.

Users should lower their risk of downloading potentially harmful apps by restricting their downloads to official app stores, such as the app store provided by the maker of their device or their operating system. They should also always review the app’s details, number of downloads, user reviews, comments, and “ADDITIONAL INFORMATION” section, it said.

Additionally, one should check the app permissions and only approve those that are relevant to the purpose of the app.

Regular Android updates and patches should be applied, untrusted websites and links should not be visited or explored, and caution should be taken when clicking on links contained in unsolicited emails and SMSs.