A new strain of dangerous ransomware has evolved to target Android devices, researchers are warning.
Experts from Cleafy have analyzed the fifth and latest version of the popular Android banking trojan SOVA, and discovered multiple new features, including the ability to encrypt locally stored files.
According to the researchers, the malware (opens in new tab) uses AES encryption to add the .enc extension to all files and prevent the user from accessing them.
Developing the trojan
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data,” Cleafy says.
The fifth version of the trojan is not fully developed, the researchers added, but warned it is nevertheless ready for mass deployment.
SOVA’s owners have been aggressively developing their product for the past couple of months. So far this year, the tool has seen numerous new tools introduced, including two-factor authentication interception, as well as new injections for multiple global banks. It has also seen virtual network computing (VNC) capabilities for on-device fraud. This feature, however, still seems to be under construction.
SOVA is currently capable of targeting more than 200 banks worldwide, as well as numerous cryptocurrency exchanges, and digital wallets. It is capable of taking screenshots, performing taps and swipes, stealing files from compromised endpoints, and adding overlay screens for various apps. It can also steal cookies froM Gmail, Gpay, as well as Google Password Manager.
So far, ransomware (opens in new tab) was only reserved for desktop devices and servers, as its operators were mostly interested in targeting companies and corporations. It seems as the threat actors are looking to diversify, as businesses get better at protecting their premises and keeping airgapped backups.
Via: BleepingComputer (opens in new tab)