Following the CERT-In announcement, a number of Indian banks, notably SBI, HDFC Bank, and others, issued warnings to their customers advising them not to download their mobile applications from any sources outside than the primary app stores.
“It has been reported to CERT-In that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan,” CERT-In said.
According to reports, a new banking Trojan called SOVA targeted more than 200 mobile banking and cryptocurrency applications and collected users’ login information and cookies from them. For a ransom, this virus can encrypt an Android user’s phone. So, in this article, we will tell you about this banking malware and share with you some tips to protect your device from this.
First, What is banking malware and how does it operate?
Banking Trojan/Banking Malware is malicious computer software that impersonates a normal software program and tries to access private information held or processed by an online banking system.
Banking Trojans pose as benign programs, but their true goal is to steal data and hide their presence by perhaps inactively, concealing components in other files, or being part of a rootkit or by using a severe obfuscation feature.
The banking malware is designed with a backdoor that permits remote access to the computer or it can duplicate the banking customer’s credentials by impersonating a financial institution’s login website.
Malware is a generic term that stands for malware and refers to software defined by malicious intent. This type of malware can disrupt the normal operation of the computer, collect confidential information, gain unauthorized access to the computer system, display unwanted advertisements, etc.
What is SOVA trojan?
The Android banking trojan SOVA targets banking apps to steal user data and crash a number of other apps. Layers that make malware look like a payment app.
On September 2021, it was first detected that the malware was being sold in grey marketplaces. According to CERT-In, it has a “wide range of applications” and can “collect usernames and passwords through keylogging, steal cookies, and create a phoney overlay to a web page.”
Spain, Russia, and the US are where the virus is most prevalent. However, it expanded its list in July 2022 to include additional nations, including India. The “.apk” extension is used in files that are used to distribute the malware.
How does SOVA operate?
This malware spreads through smishing, claims CERT-In. Smishing is the practise of sending phishing SMS messages to someone asking them to divulge their personal information, such as passwords.
The malware transmits a list of all downloaded apps to a server that is under the attacker’s control after the app has been downloaded to a mobile device.
The server produces a list of programmes that have been targeted by malware and saves crucial data in an XML file. The SOVA trojan and the server then manage the apps.
What threats does SOVA pose?
The SOVA malware is capable of carrying out a variety of tasks. Swiping, stealing cookies, capturing screenshots, and applying false overlays are a few of these actions.
After getting an update. Now it has the ability to encrypt all data and demand a ransom. The “protection” module is one of the most vital upgrades. A user can no longer delete an infected app, despite their best efforts. On the screen, the words “This app is secured” will appear.
How can users safeguard themselves?
- The most crucial step is to only download programmes from authorised app stores.
- When downloading the app, another step is to check the “Additional Information” area to read the app’s details, download history, and user reviews.
- Another CERT-In recommended practice is to download the latest updates for operating software and applications provided by the device vendor. Also download and activate anti-virus software.
- Do not browse untrusted websites or follow untrusted links, and exercise caution when clicking on links provided in unsolicited emails and text messages.
- Additionally, users are instructed to only click on URLs that point to a legitimate website.
- Users should also enable the firewall.
- Finally, users are required to immediately report any unusual activity on a bank account to the relevant bank.
Some other infamous banking Trojans :
Zbot / Zeus
Zeus, also known as Zbot, is a notorious Trojan that infects Windows users and tries to get confidential information from infected computers. Zeus was created to steal personal data from infected systems such as system information, passwords, banking credentials or other financial details, and it can be customized to collect bank details in specific countries and use a variety of methods.
Zeus Gameover is a variant of the Zeus family – the infamous line of financial theft malware – based on a peer-to-peer botnet network infrastructure. The network setup eliminates the need for a centralized command and control server, including DGA (Domain Generation Algorithm) that creates new domains in the event that peer servers are not accessible. Peers created in the botnet can act as independent command and control servers, and can download commands or configuration files between them, eventually sending the stolen data to other servers.
SpyEye is data-stealing malware (similar to Zeus) created to steal money from online bank accounts. This malware has the ability to steal bank account credentials, social security numbers, and financial information that can be used to drain bank accounts.
Shylock is banking malware designed to collect users’ banking credentials for fraudulent purposes. Once installed, Shylock will communicate with command and remote control servers controlled by cybercriminals, sending and receiving data to and from infected PCs. Like Zeus Gameover, this malware uses a Domain Generation Algorithm (DGA) to generate multiple domains that can be used to receive commands between malicious servers and infected systems.
Panda is a banking trojan that uses many of Zeus’ malware techniques, such as man in the browser and keylogging, but has advanced stealth capabilities. A Panda attack can start with spam emails containing malicious attachments.