SOVA Malware reaches India, be careful if you are using mobile banking on Android device
SOVA Malware reaches India, be careful if you are using mobile banking on Android device
If you used mobile banking or use credit cards/debit cards for payment using your Android smartphone stay alert! A new malware has now reached Indian shores. The malware goes by the name of S.O.V.A, which in Russian means ‘OWL’, the threat actors probably took inferences from the nocturnal bird’s stealthy traits.
ThreatFabric security researchers identified SOVA as a banking trojan in September, however, at the time the malware had East European countries in its crosshairs. Indian cyber security agency has now sent out advisories notifying about the presence of the banking trojan in India as well. According to Cert-in‘s advisory for India, “SOVA was earlier focusing on countries like the USA, Russia, and Spain, but in July 2022 it added several other countries, including India, to its list of targets.”

While the SOVA malware is a banking trojan, it has other harmful capabilities like keylogging, DDoS, overlay attacks, notification manipulation, and more. Security researchers have also found a rare feature in the malware which allows the SOVA malware to steal session cookies, this feature enables the malware to login into banking accounts without the username and password of the user.

Related News

iPhone 14s Dynamic island feature on Android devices How to install and download link

iPhone 14’s Dynamic island feature on Android devices; How to install and download link

Android no longer supports 1GB RAM says Google

Android no longer supports 1GB RAM, says Google!

The threat actors are actively ‘testing’ this new malware on hacking forums, “The author publicly advertises for the trial of this new product – targeting a large number of banks – looking to improve the bot’s functionalities, and test on a large variety of mobile devices. In addition to testing, the authors have established a clear roadmap of future features to be implemented in the malware,” the researchers noted.

Threatfabric has found the SOVA malware being developed in the Kotlin‘ coding language that is supported by Android. While, the malware is relatively young and under development, the researchers feel, if the threat actor keeps his promises the SOVA malware could end up being one of the “most complete and advanced Android bots to be fully developed in Kotlin to this day.”

“The latest version of this malware hides within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT platform to deceive users into installing them. This malware captures the credentials when users log into their net banking apps and access bank accounts. The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets,” says Cert-in.

The SOVA malware’s list of functions includes the ability to:

  • collect keystrokes
  • steal cookies
  • intercept multi-factor authentication (MFA) tokens
  • take screenshots and record video from a webcam
  • perform gestures like screen click, swipe, etc. using the android accessibility service
  • copy/paste
  • adding false overlays to a range of apps
  • mimic over 200 banking and payment applications

Can not be deleted!

It has been discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the capability to encrypt all data on an Android phone and hold it to ransom. Another key feature of SOVA is the refactoring of its “protections” module, which aims to protect itself from different victims’ actions. For example, if the user tries to uninstall the malware from the settings or by pressing the icon, SOVA is able to intercept these actions and prevent them (through the abuse of the Accessibilities) by returning to the home screen and showing a toast (small popup) displaying “This app is secured”.