Mumbai SOVA, a malware that creeps into your phone disguised as popular apps like Google Chrome and Amazon, seems to have turned its attention towards India. According to the latest research, India ranks third in the list of countries targeted by SOVA this year.
SOVA is a matter for concern not just for India but several other countries owing to the fact that it is a banking trojan. While most malware aim to steal data, banking trojans are specifically programmed to ignore everything else and go after the banking apps on your device. Called ‘trojans’ because they slip into target devices disguised as legitimate apps, these malware capture your credentials when you log into your netbanking apps and access your bank accounts.
A detailed research report was published earlier this week by Cleafy Labs, a cyber threat intelligence and fraud management firm based in Italy, which showed that while SOVA was earlier focusing on countries like the USA, Russia and Spain, it diversified and added several other countries, including India, to its list of targets from May to July this year.
The data made public by Cleafy indicates that by last month, SOVA had targeted 25 banking apps from Philippines, 12 from the United Kingdom and four from India, placing India in the third position in terms of freshly targeted countries this year. Banking apps from several other countries have also been targeted, but in lower numbers.
Responding to a query from Hindustan Times, Paolo Raffin, Marketing Manager, Cleafy said, “From our analysis, the Indian targets appear to have been added around May 2022.”
This means that in just two months, SOVA has compromised four banking apps in India and its activities are still ongoing.
Cleafy’s research has also found that the hackers using SOVA have a specific list of apps that they target, including GPay, Gmail and Google Password Manager, all of which are widely used in India.
“To obtain the list of targeted applications, SOVA sends the list of all applications installed on the device to the C2 (Command and Control server), right after it has been installed. At this point, the C2 sends back to the malware the list of addresses for each targeted application and stores this information,” Cleafy’s report, accessed by HT, states.
As the name suggests, a C2 server is the server that controls the malware entirely, and issues commands to it as to how to proceed once it is inside a target device.
However, the firm says that the worst of SOVA is yet to be seen. Cleafy has discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and that this version has the capability to encrypt all data on an Android phone and hold it to ransom. In a scenario where ransomware attacks are traditionally limited to desktop or laptop computers, an Android ransomware is rare but much more effective.
“To date, we have no evidence of how SOVA is distributed in India. It is likely that it was distributed via smishing (phishing via SMS) attacks, like most Android banking trojans. However, considering the increasing efforts of hackers (threat actors) in the last year trying to upload malware on the Google Play Store, we do not exclude this possibility at some point in the near future,” Raffin told HT about SOVA making it into the devices.