Blog
SOVA Android Trojan
SOVA Android Trojan is a new type of mobile banking malware campaign that aims to target banking customers. Its first version came on the underground market for sale in September 2021. This version enables you to find usernames and passwords through keylogging, stealing and adding false overlays to several apps. The target countries of the virus were the USA, Russia, and Spain. Later in July 2022, it added another nation including India to the target list.
The latest malware version disguises itself as a fake android app that displays the logo of popular legal apps like Chrome, Amazon, and NFT. Once users log their accounts into their banking applications, the malware steals the credentials & accesses bank accounts.
The SOVA’s new version plans to target over two hundred phone apps like banking apps and crypto exchanges/wallets. In addition, it can display different code development, such as ransomware features. Files can be encrypted using the AES encryption technique on the infected device.
What is SOVA?
It is an android banking trojan malware stealing personal information by targeting banking apps. After installation of these apps, you can not uninstall them.
How does SOVA Android Trojan work?
PNB website says on SOVA Trojan that smishing, i.e. phishing through SMS, is used to spread malware like other banking Trojans. As soon as you install the fake android app on your mobile, it sends the list containing names of installed apps to the C2 (Command and Control server) that hackers control to get the targeted apps’ list.
Then, C2 returns the address list to the malware for every targeted app and collects information inside an XML file. You should know that the communication between the malware and the C2 targeted these apps.
What is the malware capable of performing?
As per the PNB website, the malware can do these functions:
- collect keystrokes
- steal cookies
- intercept multi-factor authentication (MFA) tokens
- take screenshots & record video from a webcam
- perform gestures ( screen click, swipe, etc.) using the android accessibility service
- copy/paste
- Add false overlays to many apps
- Target more than two hundred banking and payment apps
Indicator of Compromise:
File Hashes:
- 0533968891354ac78b45c486600a7890
- ca559118f4605b0316a13b8cfa321f65
- 74b8956dc35fd8a5eb2f7a5d313e60ca
C2 Server:
- socrersutagans[.]site
- omainwpatnlfq[.]site
- satandemantenimiento[.]com
- wecrvtbyutrcewwretyntrverfd[.]xyz
CERT-In, or Indian Computer Emergency Response Team, is a federal technology arm that can combat cyber attacks. Besides, it can protect the internet space against phishing through SMS, hacking, and other online attacks. According to the agency, the malware’s distribution is done through smishing.
SOVA upgrades:
Manufacturers of SOVA upgraded this to its 5th version since its inception. It can encrypt all data on your android mobile. Refactoring of the “protections” module is another SOVA feature that keeps itself secured from many victims’ actions. For instance, SOVA can intercept the actions when you attempt to uninstall malware from settings or hit the icon. After that, it will direct you to the home screen and display “This app is secured”.
Bank gave a warning to its customers about this and asked them to report to them if any incident happens.
Best Practices and Recommendations:
- You need to limit the download sources to official app stores to decrease the risk of downloading dangerous apps. Hence, you can use your device’s manufacturer or OS app store as official.
- Before you download or install apps on any android device ( even if you download from Google Play Store):
- You must review the app details, number of downloads, user reviews, comments, and the “ADDITIONAL INFORMATION” section.
- Ensure that you verify app permissions. You should grant only the permissions which are relevant to the app.
- There is no need to check the “Untrusted Sources” checkbox for the installation of the side-loaded app.
- When you find android updates in android device vendors, you should try to install them.
- Ensure that you are not browsing unreliable websites or following unreliable links & exercise caution when you tap on the link given in unsolicited emails and SMSs.
- You should install antivirus & antispyware software and try to maintain updating them.
- Find suspicious numbers which don’t resemble real mobile phone numbers.
- Scammers use email-to-text services to disguise themselves and prevent sharing their real mobile numbers. If you get any genuine SMS messages from banks, you can find the sender id where the bank’s name is written in short, rather than a mobile number in the sender information field.
Recommendations:
- Ensure that you have done deep research before tapping the link in the message. Several websites enable any person to search depending on a mobile number. It is possible to see any relatable information to determine if the number is legal or not.
- You should tap on only URLs indicating the website domain. If you have any doubt, you can find the organization’s website directly using search engines, you can ensure that the visited websites are legal.
- You can use Safe Browsing tools, filter tools in your antivirus, firewall, and filtering services.
- As a user, you need to hover your cursor over the shortened URLs to see the entire visited website domain. Besides, you can use a URL checker, letting you enter a short URL and see the full URL. It is also possible to use a shortening service preview feature which enables you to see a preview of the complete URL.
- Before you give your account login details or other personal sensitive information, you must check for the green lock in your browser’s address bar to find valid encryption certificates.
- Suppose any customer sees any unusual activity in their account. In that case, they must report it to the respective bank instantly by giving the relevant details and wait till the bank takes any further appropriate action.
The bottom line:
Banking malware uses new innovative techniques like using icons of legal apps to lure people. These viruses are available in underground markets, and your device can be affected by them. Smishing & phishing attacks are some ways through which hackers spread the Trojans. Therefore, you must always remain conscious. There is no need to download & install apps from untrusted sources.
Frequently Asked Questions
What is Trojan Sova?
It is an Android banking trojan malware that aims to steal personal information from banking apps.
Can you get the Trojan virus on Android?
Trojans running on the Android OS look like desirable software like games, system updates or utilities, or copies of any legal programs which are repackaged to add harmful components.
What is an Android banking Trojan?
It is a virus that infects a device and overlays login pages on top of legal banking & finance apps. Trojans can track notifications to know OTPs, steal account credentials, etc.