The Sova virus is a novel class of mobile banking malware campaign. It takes advantage of the SOVA Android Trojan malware. Prior to focusing on India, Sova targeted nations including the USA, Russia, and Spain.
For Indians who utilize mobile online banking, this malware is among the most deadly ones. It is the sixth iteration of the initial virus discovered in Indian online, and it is difficult to remove.
It is capable of encrypting all data. The nation’s federal cyber security agency revealed this.
In order to trick users into installing it, this particular strain of malware conceals bogus Android applications with similar-looking logos to popular search engines, including Chrome, Amazon, and NFT platforms.
This virus’s clever behavior is its defining trait. It recodes the defense mechanism in an effort to defend itself from various victims’ deeds.
How the SOVA Android Trojan operates
In order to trick users into installing them, the most recent iteration of the virus may conceal itself behind phony Android applications that bear the logos of certain genuine programs, like Google Chrome, Amazon, NFT platforms, and others. This virus can take the user’s credentials without their knowledge whenever the victims use hacked devices to connect into their net banking applications or access their bank accounts. According to reports, the most recent version of SOVA is targeting over 200 mobile applications, including wallets and exchanges for cryptocurrencies.
This virus, like the majority of Android banking Trojans, is mostly disseminated by SMS phishing operations (also known as smishing attacks). The virus transmits a list of the applications previously installed on the device to its command and control (C2) server, which is run by hackers, whenever any user installs one of these phony Android apps. The attacker can choose which applications to attack using the list that the virus has supplied.
The virus receives the list of addresses for each targeted app from the C2 server, which then stores the data in an XML file. The commands established between the virus and the C2 server then control how these targeted programs act. The malware’s list of capabilities includes keystroke logging, cookie theft, MFA token interception, screenshot and video capture, and impersonation of more than 200 banking and payment apps.
Security experts at ThreatFabric discovered SOVA to be a banking trojan in September, however at the time the virus was targeting East European nations. The Indian cyber security organization has since sent alerts informing people that the banking virus is also present in India. “In July 2022, SOVA added India to its list of targets, after it previously targeted the USA, Russia, and Spain,” the Cert-in advisory for India said.
Despite being a banking trojan, the SOVA virus is also capable of keylogging, DDoS, overlay assaults, notification manipulation, and other malicious activities.
Security experts have also discovered a unique feature in the virus that allows the SOVA malware to capture session cookies. This feature allows the malware to connect to banking accounts without the user’s username and password.