Mumbai SOVA, malware that creeps into your phone disguised as popular apps like Google Chrome and Amazon, seems to have turned its attention to India. According to the latest research, India ranks third in the list of countries targeted by SOVA this year.
SOVA is a concern not only for India but for several other countries due to the fact that it is a banking Trojan. While most malware aims to steal data, banking Trojans are specifically programmed to ignore everything else and attack banking apps on your device. Called “Trojans” because they slip into target devices disguised as legitimate apps, this malware captures your credentials when you log into your online banking apps and access your bank accounts.
A detailed research report was released earlier this week by Cleafy Labs, an Italy-based cyber threat intelligence and fraud management firm, which showed that while SOVA previously focused on countries like the United States , Russia and Spain, it diversified and added several other countries. , including India, to its target list from May to July this year.
Data made public by Cleafy indicates that as of last month, SOVA had targeted 25 banking apps from the Philippines, 12 from the UK and four from India, placing India third in terms of newly targeted countries this year. Banking apps from several other countries were also targeted, but to a lesser extent.
Responding to a question from the Hindustan Times, Paolo Raffin, Chief Marketing Officer of Cleafy, said: “Based on our analysis, the Indian targets appear to have been added around May 2022.”
This means that in just two months, SOVA has compromised four banking applications in India and its activities are still ongoing.
Cleafy’s research also revealed that hackers using SOVA have a specific list of apps they target, including GPay, Gmail and Google Password Manager, all of which are widely used in India.
“To get the list of targeted apps, SOVA sends the list of all apps installed on the device to C2 (command and control server), right after it is installed. At this point, the C2 sends back to the malware the list of addresses of each targeted application and stores this information,” the report from Cleafy, accessible by HT, states.
As the name suggests, a C2 server is the server that fully controls the malware and sends it commands on how to proceed once it is inside a target device.
However, the firm says the worst of SOVA remains to be seen. Cleafy discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the ability to encrypt all data on Android phone and hold it for ransom. In a scenario where ransomware attacks are traditionally limited to desktop or laptop computers, Android ransomware is rare but far more effective.
“As of today, we have no evidence of how SOVA is being distributed in India. It is likely that it was distributed via smishing attacks, like most Android banking Trojans However, given the increasing efforts by hackers (threat actors) over the past year to try and upload malware to the Google Play Store, we are not ruling out the possibility at some point in the near future. Raffin told HT about SOVA’s entry into the device.
