Indian Android users are warned after reports revealed that the SOVA banking trojan had begun targeting the region, especially those using mobile banking apps. Written in Kotlin, this malware was first detected last September targeting East Europe. However, CERT-In announced that India was added to SOVA’s list of targeted countries in July 2022.
As a banking trojan, researchers found SOVA to be more powerful than it is supposed to be. Once an Android device becomes infected, SOVA could deploy several capabilities, such as DDoS and keylogging. Furthermore, the banking trojan can also steal session cookies, allowing it to access users’ banking accounts without needing credentials.
The SOVA malware authors give away trial testing to other hackers to discover more room for improvement for attacking Android devices, including Indian users.
Based on reports, the SOVA banking trojan’s author allowed other hackers to test the malware to help them look for more ways to improve its capabilities. A roadmap for the malware’s upcoming features has also been established, which researchers expect its operators to follow as time goes on.
The Android OS supports tools written in the Kotlin programming language, including SOVA. Researchers fear that as the malware progresses and enhances its capabilities, many Android users, including its new Indian targets, will be exposed to harmful risks. It is also possible that the SOVA banking trojan could be one of the most advanced Android bots to be fully developed using the Kotlin coding language.
CERT-In also mentioned on their advisory that SOVA banking trojan’s latest version is seen hiding behind fake Android apps, impersonating legitimate applications such as Chrome and Amazon. The threat operators also fake some NFT and cryptocurrency wallets to hide the malware.
Since its initial detection, SOVA has targeted over 200 Android mobile apps, aiming to siphon user credentials and access bank accounts to steal funds.
Currently, the list of capabilities carried by the SOVA banking trojan includes collecting keystrokes, taking screenshots, recording videos, stealing cookies, copying and pasting, adding screen overlays to the targeted apps, intercepting MFA tokens, and performing user gestures from the Android accessibility tool.
The SOVA malware’s added ability to evade deletion from the affected device makes it more sophisticated. Its protection module allows it to protect itself from being removed or uninstalled from a device.
The threat the SOVA banking trojan imposes on Indian Android users concerns cybersecurity experts. It could not only steal monetary assets from the victims but also harm users’ privacy and safety. For these reasons, experts advise that users avoid downloading applications from third-party sources, enable MFA on financial-related apps, and immediately report suspicious activities if they occur.
