Android users have been put on red alert about a new banking trojan that can steal sensitive personal information. The latest malware to target the Google-made OS has been dubbed S.O.V.A and researchers at ThreatFabric only discovered it last month. The dangerous new Android malware is targeting users of popular Google Play Store apps in many regions around the world, including the UK, US, Australia and European countries such as Germany, Italy and Spain.
Experts have warned the stealthy Android malware can be used in a variety of attacks and is capable of “incredible damage”.
The malicious software was named after the Russian word for owl, and that’s apt as the malware – like its nocturnal namesake – is capable of quietly stalking and capturing its prey.
Researchers said the Android malware’s primary aim is to steal sensitive user information from victims, which it does through keylogging, overlay attacks and other nefarious means.
But experts also said S.O.V.A has a number of other dangerous capabilities which means it can be used in ransomware, man in the middle and distributed denial of service (DDoS) attacks.
In a study online ThreatFabric said: “This identifies a completely new, to the best of our knowledge, Android banking trojan. The trojan is currently in development and testing phase, and has the objective to add to his overlay and keylogging mechanisms, other highly dangerous features like DDoS and Ransomware in future versions.”
The Amsterdam-based security experts went on to add: “Like many others, S.O.V.A. is also taking a page out of traditional desktop malware, confirming a trend that has been existing for the past few years in mobile malware. Including DDoS, Man in the Middle, and Ransomware to its arsenal could mean incredible damage to end-users, in addition to the already very dangerous threat that overlay and keylogging attacks serve.”
ThreatFabric said S.O.V.A is still in the development and testing phase, but a number of samples of it have been spotted in the wild.
And what sets S.O.V.A apart from other pieces of Android malware is that it can perform session cookie theft.
Cookies are an integral part of the internet experience and allows users to stay logged into a huge variety of websites without having to repeatedly input their username and password.
Threat actors that are able to get hold of a valid session cookie effectively have access to the victim’s logged in web session.
Which opens an Android user up to a huge variety of attacks.
ThreatFabric said the most targeted country for the S.O.V.A threat so far is the US, followed by the UK.
Popular Android apps found on the Google Play Store that are being targeted by the new malware include the Barclays, Lloyds, Halifax and NatWest apps.
Other widely used Android apps that are targets of S.O.V.A include the Amazon and PayPal apps.
Speaking about what the future holds for this new malware, ThreatFabric added: “The current version of S.O.V.A. is capable of stealing credentials and session cookies through overlay attacks, keylogging, hiding notifications, and manipulating the clipboard to insert modified cryptocurrency wallet addresses. If the authors adhere to the roadmap, it will also be able to feature on-device fraud through VNC, DDoS capabilities, Ransomware, and advanced overlay attacks. These features would make S.O.V.A. the most feature-rich Android malware on the market and could become the ‘new norm’ for Android banking trojans targeting financial institutions.”
As always, the best way to stay clear of malware is to stick to the official Google Play Store app marketplace and to only download apps from trusted developers.
Avoiding clicking on suspicious emails you may be sent from unfamiliar contacts as well as not visiting websites that don’t support the HTTPS protocol can also help keep you safe from threats.