An Android banking trojan has re-emerged with new features that make it more powerful and more dangerous to a wider range of users. Also, it now delivers ransomware.
The Sova Android banking malware first appeared for sale in underground markets in September last year, with its author stating that it was still under development. Even so, it still packed a punch, with the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps.
Now, as detailed by cybersecurity researchers at online fraud prevention company Cleafy, Sova has been updated with a range of new abilities, including the ability to mimic over 200 banking and payment applications, plus the capability to target cryptocurrency wallets. Sova can also now encrypt devices with ransomware, although this feature still appears to be in the process of being implemented.
This raises the prospect of victims not only having information including bank details, passwords and other personal data secretly stolen by trojan malware, but also losing their files to encryption, unless they give in and pay a ransom demand.
"The ransomware feature is quite interesting as it's still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data," wrote researchers at Cleafy in a blog post.
The latest update also allows attackers to take screenshots from the device and even record from the infected smartphone.
Sova has been updated with new capabilities multiple times in recent months, including the ability to intercept multi-factor authentication (MFA) tokens, allowing attackers to steal information even if the account is protected with the recommended additional layer of defence.
Researchers also warn that even though the malware is still under active development, "it's ready to carry on fraudulent activities at scale."
Like many other forms of Android malware, Sova is delivered via fake applications which claim to be known entities, including from the likes of Google and Amazon. However, the apps don't serve any purpose other than to deliver the malware, and often lack any of their advertised functions.
To help avoid falling victim to mobile malware, users should be cautious about what applications they download and from where. Official application stores are more trustworthy than third-party download sites, but even then you should ensure that what you're downloading is really what it says it is.
For example, an app could claim to be something from a well-known developer, but if it's registered as developed by someone else entirely, you should avoid downloading the app.
In official app stores, users can also check reviews of the app – a string of negative reviews might provide clues that the app isn't what it really claims to be.