First appearing last September, the Sova malware is back. Its new features make it even more powerful and more dangerous. Notably, it is now capable of spreading ransomware.
From credential theft to ransomware
When the Sova banking malware for Android devices first appeared on underground marketplaces last September, its developers said it was still under development.
That didn’t make it any less formidable, as it allowed keylogging of usernames and passwords, stealing cookies, and adding fake overlays to a whole host of apps.
But it is not finished. Sova was recently updated with new capabilities, according to cybersecurity researchers at online fraud prevention firm Cleafy. It can now imitate over 200 banking and payment apps and target cryptocurrency wallets.
The malware can also now encrypt devices with ransomware, although this feature appears to be still in the works.
Triple penalty
“The ransomware feature is interesting because it’s not common in the Android banking trojan landscape. It takes advantage of the opportunities that have developed in recent years, with mobile devices becoming for most users the central point of storage of personal and professional data”, explain the Cleafy researchers.
Today, victims of this Trojan therefore not only risk having their sensitive information secretly stolen – bank details, passwords and others – but also losing access to their files due to ransomware – which will condition the decryption of the data to the payment of a ransom.
The latest malware update also allows attackers to take screenshots of the device, and even record audio from the infected smartphone.
Bypass multi-factor authentication
Other new features added to Sova in recent months include the ability to intercept tokens used by multi-factor authentication (MFA). Thus, attackers can steal data even if the account is protected by this additional layer of security.
The researchers also warn that while the malware is still in active development, “it is poised to conduct large-scale fraudulent activities.”
Like many other forms of malware found on Android, Sova is distributed through fake apps pretending to be services of big name entities like Google and Amazon. But the fake app is actually an “empty shell” containing only the malware.
How to protect yourself from it?
To avoid falling victim to this type of mobile malware, you have to pay attention to the applications downloaded and where they come from. Official application stores (App Store, Play Store) are more reliable than third-party download sites, but even then, one should beware and check the content offered.
For example, if an app claims to be from a known developer, but is recorded as having been developed by someone else, you should avoid downloading it.
The official application stores also offer to leave an opinion on an application, and to consult the opinions of others. If in doubt, read these reviews. A series of negative comments can tell you that you are on the wrong track.
Source: ZDNet.com