Banks alert customers about mobile banking malware targeting over 200 apps

This malware captures the credentials when users log into their net-banking apps and access bank accounts

Several Indian banks have alerted their customers not to download apps from any source other than official app stores. Banking customers are being targeted by a new type of mobile banking malware campaign using SOVA Android Trojan.

This malware captures the credentials when users log onto their net-banking apps and access bank accounts. The new version of SOVA appears to be targeting more than 200 mobile applications, including banking apps and crypto wallets.

A number of banks -- including HDFC Bank, IDBI Bank, and Karur Vysya Bank -- have informed their customers or are in the process of issuing advisory regarding the malware.

“CERT-in has already issued an advisory to banks and we have suggested several steps, too, to stay protected,” said Sameer Ratolikar, chief information security officer, HDFC Bank.

“We have advised users not to download apps from third-party websites, regularly update their Android devices with the latest patches, and avoid visiting untrusted websites/clicking suspicious links,” Ratolikar told Business Standard, adding that HDFC Bank has initiated an in-depth awareness campaign for its customers.

The malware is distributed via smishing (phishing via SMS) attacks. Once the fake android app is installed on a mobile phone, it sends/ captures the list of all applications installed on the device and targets specific financial applications.

While asking customers to download applications from official app stores, such as device manufacturer’s or operating system app store, banks are advising them that before downloading or installing apps on android devices, even from Google Play, to always review app details, the number of downloads, user reviews, comments, and additional information section.

“The malware is capable of collecting keystrokes, stealing cookies, intercepting multi-factor authentication (MFA) tokens, taking screenshots and recording video from a webcam, performing gestures like screen click, swipe, etc, using android accessibility service, copy/paste, and even mimicking over 200 banking and payment applications. The malware also has the capability to encrypt all data on an android phone and hold it to ransom,” a public sector bank said in an advisory to the banks.

IDBI Bank asked its customers not to browse untrusted websites or follow untrusted links and exercise caution while clicking on the link provided in any unsolicited e-mails and SMSs.

“Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender id (consisting of bank’s short name) instead of a phone number in the sender information field,” IDBI Bank said.

Banks have advised that customers should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions, while asking them to install and maintain updated anti-virus and antispyware software.