SOVA is targeting Indian customers: check security advisory

Khushi Bali
Khushi Bali November 21, 2022
Updated 2022/11/21 at 7:34 AM

According to the latest advisory from India’s federal cyber security agency, a new mobile banking ‘Trojan’ virus, SOVA is targeting Indian customers. It can secretly encrypt an Android phone for ransom and is difficult to remove. After being discovered in Indian cyberspace in July, the virus has progressed to its fifth version. The information was released by the Indian Computer Emergency Response Team, the federal technology arm. CERT-In combats cyber attacks and protects the Internet from phishing and hacking attacks, among other online threats.

Here is everything you need to know about the SOVA virus

SOVA can insert false overlays into a variety of apps. In order to deceive the Android user, it also imitates over 200 banking and payment applications.

The most recent version of this malware conceals itself within bogus Android applications. These may appear with the logo of a few well-known legitimate apps, such as Chrome, Amazon, and the NFT (non-fungible token linked to crypto currency) platform, in order to trick users into installing them.

The Indian Computer Emergency Response Team, or CERT-In, is the federal government’s cyber-attack response team. It protects the Internet from phishing and hacking attacks, as well as other types of online attacks. The malware, like most Android banking Trojans, is distributed via smishing (phishing via SMS) attacks, according to the agency.

The virus’s lethality can be determined by the fact that it can collect keystrokes, steal cookies, intercept multi-factor authentication (MFA) tokens, take screenshots, record video from a webcam, and perform gestures such as screen click, swipe, and so on using the Android accessibility service.

It has the potential to jeopardise the privacy and security of sensitive customer data, leading to “large-scale” attacks and financial fraud.

How does it function?

According to the advisory, once the fake Android application is installed on the phone, it sends a list of all applications installed on the device to the threat actor’s C2 (command and control server) in order to obtain the list of targeted applications.

“At this point, the C2 sends the list of addresses for each targeted application back to the malware and stores it in an XML file. The communications between the malware and the C2 are then used to manage these targeted applications “It stated.

How to safeguard your Android device?

The CERT-In suggested some counter-measures and best practises that users can use to stay safe from the virus.

Users should limit their download sources to official app stores, such as your device’s manufacturer or operating system app store. Additionally, they should always review the app details, number of downloads, user reviews, comments, and “ADDITIONAL INFORMATION” section, it said.

For more such updates keep reading on

Share this Article