New phone threat targets Gmail, GPay cookies and holds phone for ransom

We tend to think that ransomware primarily targets businesses and organizations, and does so primarily by gaining access to their networks. However, security researchers at Cleafy have discovered a disturbing new threat module while analyzing the latest versions of the SOVA mobile banking Trojan that appeared in July. Additionally, they found evidence that the malware wanted to steal your Gmail, GPay, and Google Password Manager cookies.

What is SOVA smartphone malware and what can it do?

This complex and powerful Android malware is capable of intercepting two-factor authentication codes, stealing cookies and data, taking screenshots and protecting against uninstallation. Version 4 of the malware, sold through criminal forums on the dark web, can “record and execute gestures”, as well as “handle multiple commands”, the Cleafy report says. These commands include click, swipe, copy, paste and that old chestnut, activating a screen overlay to hide what is happening from the user.

MORE FORBESOnce, twice, thrice ransomware victim: triple hack in just 2 weeks

Gmail, GPay and Google Password Manager cookies in the crosshairs

While banking, shopping, and perhaps predictably, crypto exchanges and wallets are the main targets, the latest version of SOVA is said to include over 200 apps on its targeting list.

Regarding cookie-stealing activity, the Cleafy report said that “the cookie-stealing mechanism has been overhauled and improved”, in particular it included a “comprehensive list of Google services”. Cleafy said Gmail, GPay and Google Password Manager were on this list.

Ransomware on a smartphone is now a thing

However, perhaps the most disturbing new development can be found in SOVA version 5. While still in development, this version has already started to appear in the hands of threat actors, and Cleafy has seen “several samples” through its threat intelligence platform. This development is the inclusion of a ransomware module. Yes, you heard right, ransomware on a smartphone.

Wiping crypto wallet theft evidence could be a factor behind SOVA ransomware feature

It seems that this module allows the encryption of files using an AES algorithm. Although a lot of data is stored or backed up in the cloud, it could still turn out to be a strategically wise move on the criminal side of the fence. Despite, one would assume, having the ultimate respite from simply factory resetting your phone, it’s likely that enough users, especially at the less technically savvy end of the equation, would be willing to pay a affordable ransom to get their phone working properly again. . You only have to think of the panic that sets in when you misplace or lose your phone, or if it freezes, to know it will happen.

As Dark Reading reports, since SOVA targets crypto-wallets, for example, the ransomware module could also be used to effectively destroy evidence, making it “difficult for digital forensics to uncover any trace or attribution of the ‘attacker”.

MORE FORBESCisco Hacked: Ransomware Gang Claims It Has 2.8GB of Data

Android users should be careful, iPhone users can relax

On the plus side, at least for iPhone users, is that SOVA is a threat only for Android. If you’re an Android user, the usual advice applies: be careful what apps you install and be careful where you install them from. Although rogue apps have found their way into the Google Play Store and other “official” stores so far, most of these apps come from unofficial third-party repositories.

Comments are closed.