A dangerous new strain of ransomware has evolved to target Android devices, researchers warn.
Cleafy experts analyzed the fifth and latest version of the notorious SOVA Android banking Trojan and discovered several new features, including the ability to encrypt locally stored files.
According to the researchers, the malware (opens in a new tab) uses AES encryption to add the .enc extension to all files and prevent the user from accessing them.
Developing the Trojan
"The ransomware feature is quite interesting as it is not yet common in the Android banking Trojan landscape. Most people centrally store personal and work data," Cleafy said. she said.
The fifth version of the Trojan is not fully developed, the researchers added, but warned that it was nonetheless ready for mass deployment.
SOVA owners have been aggressively developing their product for the last two months. So far this year, many new tools have been introduced to the tool, including two-factor authentication interception, as well as new injections for various global banks. It also saw virtual network computing (VNC) capabilities for on-device fraud. This feature, however, appears to still be under construction.
Currently, SOVA can address more than 200 banks worldwide, as well as numerous cryptocurrency exchanges and digital wallets. It is capable of taking screenshots, performing taps and swipes, stealing files from compromised endpoints, and adding screen overlays for various applications. It can also steal cookies from Gmail, Gpay and Google Password Manager.
Until now, ransomware (opens in a new tab) was restricted to only desktop devices and servers, as its operators were primarily interested in targeting businesses and corporations. It seems that threat actors are looking to diversify as companies get better at protecting their facilities and maintaining isolated backups.
Via: BleepingComputer (Opens in a new tab)