Fraud Alert: Bank Customers Targeted by SOVA Android Trojan
Yogesh Sapkale | 24 September 2022
A very sophisticated Trojan, SOVA, which has re-emerged, is now targeting payment and banking apps on Android devices in India. Sova is the Russian word for owl. Last year, in September, it appeared on the dark web or underground markets with capabilities to harvest user names and passwords through keylogging, stealing cookies and placing false overlays on several apps installed on mobile. While SOVA is still under development, it is becoming more dangerous and is getting ready with ransomware capabilities for mobile devices in its upcoming version (v5). Ransomware attacks on mobiles would be catastrophic for every user. 
SOVA's existing version (v4), according to cybersecurity research company Cleafy, has been updated with a range of new features and capabilities for targeting more than 200 mobile applications, including banking apps, crypto exchanges, and wallets.
"With SOVA v4, threat actors (TAs) can manage multiple commands, such as screen click, swipe, copy and paste and the capability to show an overlay screen to hide the screen to the victim. However, it was observed that multiple logs of information are still sent back to the command and control server (C2). This behaviour is a strong indicator that SOVA is still going through a development process, while TAs are rolling out new features and capabilities," Cleafy says.
India's computer emergency response team (CERT-In) also issued a warning about SOVA Android Trojan. SOVA was earlier focusing on countries like the US, Russia and Spain; but, in July 2022, it added several other countries, including India, to its list of targets. The v4 version of this malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, and the non-fungible token (NFT) platform to deceive users into installing them.
SOVA Android Trojan is distributed through smishing (phishing via SMS). When the recipient of an SMS opens the link in the message, the malware gets installed. It then sends the list of all applications installed on the device to the C2 controlled by the TA. The C2 then sends back a list of addresses for each targeted application and stores this information inside an XML file. These targeted applications are then managed through the communications between the malware and the C2.
CERT-In says SOVA's v4 functions include collecting keystrokes, intercepting multi-factor authentication (MFA) tokens, taking screenshots and recording video from a webcam and performing gestures like screen click and swipe using the Android accessibility service. In fact, the v4 even has a module specific for Binance exchange and the Trust Wallet, which is the official crypto wallet of Binance. Using this module, the TAs can garner information, like the balance of the account, different actions performed by the user inside the crypto app and the seed phrase used to access the crypto wallet.
According to Cleafy, the most dangerous feature, which is still under development in SOVA v5, is the ransomware module. "The ransomware feature is quite interesting as it is still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity that arises in recent years, as mobile devices became for most people the central storage for personal and business data." 
"The aim of TAs is to encrypt the files inside the infected devices through an AES algorithm and rename them with the extension '.enc'," it says. 
Ransomware accesses content on your PC, laptop or mobile device and scrambles the data. You are then required to pay the ransom so that the criminal can hand over to you the key to your locked data. If you are under the ransomware attack, you cannot access any of your files or data stored on the device since all the files will display a new extension (like .enc under development at SOVA). 
How To Protect Yourself from SOVA Android Trojan
* Never click on any link received via SMS or email app. Always remember, your bank does not send SMS from a mobile number but uses SMS headers like BX-SBIINB, AX-ICICIB, VM-AxisBk, BZ-CBSSBI (it changes as per your bank's choice/registration for header text)
* Go to Settings on your mobile and search for 'Untrusted Sources' or 'install unknown app'. Disable it if already enabled.
* Do not download and install any app from third-party stores.
* Use only official app stores, such as your device's manufacturer (e.g., Samsung Store) or operating system app store (Google Play Store). 
* Do not browse websites or follow untrusted links and exercise caution while clicking on the link provided in unsolicited emails and SMSs.
* Install and regularly update the antivirus and antispyware apps on your mobile device.
* Always check and ensure your mobile device is running on the latest operating system. Enable auto-updating features for the operating system and mobile applications to get the latest security, privacy and flaw fixes.
* Do not store personally identifiable information (PII) in apps or on mobile devices.
* Review permissions required by each application critically and grant only those permissions which are of utmost necessity.
* Review location settings and allow location access only when the app is in use.