We tend to think of ransomware as being something that mostly targets businesses and organizations, and primarily does so via gaining access to their networks. Yet, security researchers at Cleafy have uncovered a worrying new threat module while analyzing the latest versions of the SOVA mobile banking trojan that emerged in July. What’s more, they found evidence the malware wants to steal your Gmail, GPay, and Google Password Manager cookies.
This complex and powerful piece of Android malware is capable of intercepting two-factor authentication codes, stealing cookies and data, taking screenshots, and protecting itself from being uninstalled. Version 4 of the malware, sold through dark web criminal forums, can “record and perform gestures,” as well as “manage multiple commands,” the Cleafy report stated. Those commands include clicking, swiping, copying, pasting, and that old chestnut, activating an overlay screen to hide what’s happening from the user.
While banking, shopping, and perhaps predictably, crypto exchanges and wallets are the primary targets, the latest version of SOVA reportedly includes more than 200 apps on its targeting list.
When it comes to the cookie-stealing activity, the Cleafy report stated that “the cookie stealer mechanism was refactored and improved,” in particular it included a “comprehensive list of Google services.” Cleafy said that Gmail, GPay, and Google Password Manager were on this list.
However, perhaps the most worrying new development can be found in SOVA version 5. While still in development, this version has already started appearing in the hands of threat actors, and Cleafy has seen “multiple samples” through its threat intelligence platform. That development is the inclusion of a ransomware module. Yes, you heard that right, ransomware on a smartphone.
It would appear that this module allows for the encryption of files using an AES algorithm. Although plenty of data is stored in, or backed up to, the cloud, this could still prove to be a strategically sound move from the criminal side of the fence. Despite, one would assume, having the ultimate respite of simply factory-resetting your phone, it’s likely that enough users, especially at the less technically savvy end of the equation, would be prepared to pay an affordable ransom to get their phone working correctly again. You only have to think about the panic that sets in when you misplace or lose your phone, or if it bricks, to know this will happen.
As Dark Reading reports, given that SOVA targets crypto-wallets, for example, the ransomware module could also be used to effectively destroy evidence making it “difficult for digital forensics to discover any traces or attribution of the attacker.”
On the plus side, at least for iPhone users, is that SOVA is an Android-only threat. If you’re an Android user, the usual advice applies: be careful what apps you install and be mindful of the places from where you install them. Although malicious apps have found their way into the Google Play Store and other ‘official’ stores before now, far and away, most such apps come from third-party, unofficial depositories.