SOVA Virus In 2022 – Reaches India And Targeting Mobile Banking

SOVA Virus is a new mobile banking ‘Trojan’ malware that can secretly encrypt an Android phone for ransom and is difficult to erase. According to the country’s official cyber security agency, it’s targeting Indian clients. Also, the report says, the malware has been updated to its fifth iteration since it was discovered on the Indian internet in July. Check out the details.

Also, Read...

Google Deletes 50 Apps Infected with Joker Malware: Recommend the Users to Delete the Apps if Installed

What is SOVA Virus?

The Sova virus is a new strain of mobile banking malware. It employs the malware SOVA Android Trojan. Sova formerly targeted nations such as the United States, Russia, Spain, and subsequently India.

This malware is one of the most harmful for Indian mobile net banking customers. It is difficult to remove and is the fifth version of the first virus found in Indian online. It is capable of encrypting all data. The country’s federal cyber security agency revealed this.

Trojan SOVA virus

This particular virus hides bogus Android apps with similar-looking logos to popular search engines like Chrome, Amazon, and NFT platforms to trick users into installing it. The clever behavior of this virus is its distinguishing trait.

When a user attempts to remove spyware using its settings choices on their device. The Sova virus then pauses the user’s operations and returns to the home screen. The notification displaying ‘This app is secured’ adds a twist to this activity.

As a result, consumers will be put in dangerous circumstances that compromise their privacy and the security of important client data. This will result in large-scale assaults and financial fraud on the part of users.

Features of the SOVA Virus

  • The malware captures keystrokes and cookies from infected machines.
  • They grab the tokens for multi-factor authentication (MFA).
  • Malware captures screenshots and videos from the camera without the user’s knowledge.
  • It uses the Android accessibility service to execute motions such as click and swipe.
  • Furthermore, bogus overlays may be found in a variety of apps.
  • It also can copy and paste up to 200 banking and payment apps.
  • Indian internet is under attack.


More than 200 mobile apps, including banking apps, exchanges, and wallets for cryptocurrencies are all targeted by this malware.

How Does SOVA Virus Work?

According to CERT-in, Indian banking clients are being targeted by a new form of mobile banking malware campaign utilizing the SOVA Android Trojan. In September 2021, the initial version of the SOVA virus was for sale in underground marketplaces, with the capacity to capture user names and passwords via keylogging, steal cookies, and install bogus overlays to a variety of apps.

The most recent iteration of this virus tries to deceive users into installing it by disguising itself as fake Android apps. It also bears the logos of a few well-known legal apps, including Chrome, Amazon, and the NFT (non-fungible token tied to cryptocurrency) platform. When customers enter into their online banking applications and access their bank accounts, this spyware collects their credentials. The latest version of the SOVA virus appears to be aimed at more than 200 mobile applications, including banking apps and cryptocurrency exchanges/wallets.

SOVA virus banking attack

The malware is spread through smishing attacks, like most Android banking Trojans. After the installation of the fake Android app on the phone, it sends a list of all the apps that are installed to the C2 (command and control server). Then, the SOVA virus controls the obtained list that is being targeted. The C2 returns to the virus a list of addresses for each targeted app, which it keeps in an XML file. The connections between the virus and the C2 then handle these targeted apps.

Prevention Methods

  • Limit your download sources to official app shops, device makers, or operating system app stores.
  • Always read the app description before installing it from the Google Play Store app. Never tick the ‘Untrusted sources’ checkbox for side-loaded applications.
  • Perform updates and fixes as needed on Android device providers.
  • Avoid using untrusted websites or links, and be cautious.
  • Be wary of unfamiliar email-to-text providers that mask their actual phone numbers.
  • Access just the links that display the website domain. Users must double-check the website’s legitimacy by using the search engine to look for the connections.
  • Update and install any antivirus or spyware software on your device.
  • Before entering any sensitive information, you may verify that the encryption certificates are valid by clicking on the green lock in the browser’s address bar.
  • Any unexpected behavior must be reported to the customer’s respective banks right away.

Final Word

So far, it sounds riskier, and the cyber security agency recommended being careful while downloading any app from Play Store or using mobile banking. Even it’s transforming from time to time to keep itself upgraded and powerful. So, you have to be more careful. Share this article to inform others about this harmful virus. 


What is SOVA virus which was seen in the news recently?

SOVA Virus is a new mobile banking ‘Trojan’ malware that can secretly encrypt an Android phone for ransom and is difficult to erase.

What is Trojan in malware?

Malware that disguises itself as legitimate code or software.

What is the real name of Sova?

Sasha Novikov