Android users ALERT! Banks issues advisories against SOVA Trojan; save your money from scammers
PNB said in its advisory that the latest version of the SOVA malware hides itself within fake Android applications.
- SOVA trojan is a malware that steals sensitive information from your smartphone
- SOVA trojan, once installed, prevent users from uninstalling itself
- The trojan can lead to financial losses
Several banks have issued advisories for Android users against a malware named SOVA. The trojan targets banking apps to steal personal information and may lead to financial losses if it manages to enter your smartphone. Since India has a huge number of Android users, the banks are also sending advisories through SMSs. State Bank of India warned its customers against downloading or installing SBI or any other apps by clicking on the link received from unofficial sources. The bank said that users should download the app only from the official play store.
Punjab National Bank published a detailed advisory on its website cautioning users against the SOVA trojan. "It is reported that Indian banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan. The first version of this malware appeared for sale in underground markets in September 2021 with the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps. SOVA was earlier focusing on countries like the USA, Russia and Spain, but in July 2022 it added several other countries, including India, to its list of targets," said the PNB.
The bank said in its advisory that the latest version of the SOVA malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, NFT platform to deceive users into installing them. "This malware captures the credentials when users log into their net banking apps and access bank accounts. The new version of SOVA seems to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Moreover, its latest version shows various code development including ransomware features," it said.
How does SOVA infect your smartphone?
SOVA malware is distributed via smishing (phishing via SMS) attacks. If a user installs a fake android application using the link, the app sends the list of all applications installed on the device to the scammers. Scammers then send back the list of addresses for each targeted application to the malware and store this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2, thus your login id, password and other confidential information get compromised.
"SOVA refactors into a protection module. The feature aims to protect itself from different victims’ actions. For example, if the user tries to uninstall the malware from the settings or by pressing the icon, SOVA is able to intercept these actions and prevent them by returning to the home screen and showing a small popup claiming that the app is secured," detailed the bank in its notice.
How to secure your phone from SOVA trojan?
* Never download any app from other than official sources like PlayStore.
* Prior to downloading/installing apps on android devices (even from Google Play Store), always review the app details, number of downloads, user reviews, comments and "Additional Information" section. Also, do verify app permissions and grant only those permissions which have
relevant context for the app's purpose. Users should not check the 'Untrusted Sources' checkbox to install any such apps.
* Keep your device and Android version updated with security patches released from time to time.
* Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs
* Install and maintain updated antivirus and antispyware software.
* Look for the message sender's details. Genuine SMS messages received from banks usually contain sender id (consisting of bank’s short name) instead of a phone number in the sender information field.
* Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs to see the full website domain they are visiting. One can also use a URL checker that will allow the user to enter a short URL and view the full URL.
* Look out for valid encryption certificates by checking for the green lock in the browser's address bar, before providing any sensitive information such as personal particulars or account login details.