August 1, 2017 by

Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware, Svpeng-Trojan-Banker.AndroidOS.Svpeng.ae., has been added with a new dangerous addition, a keylogger. Cyber criminals are constantly developing new, stealthier ways to steal sensitive data.

Kaspersky Lab’s Senior malware analyst, Roman Unuchek, claimed Monday to have discovered this latest version of the Android banking Trojan, Svpeng, mid-July.  The new strain of the malware takes advantage Of Android’s Accessibility Services, a feature which allows users to access apps while driving and helps users with disabilities.  This variant of the malware gives criminals the ability to steal the entered text on installed apps on the user’s device, log all keystrokes the user makes, take screenshots, and opens URLs. As well as, disabling user’s the capability to uninstall the Trojan by yielding itself more permissions and rights. Unuchek stated,“It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts, Furthermore, using its newly gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation.” It also prevents the installation and uninstallation of other applications as well.

The malware has not been widely deployed yet, however it has hit 23 countries in Europe -including Russia, Germany, Turkey, Poland, and France. However, affected users from Russia, are not hit too hard. Svpeng is not performing malicious attacks on those devices.

The Trojan, checks the device’s language before acting on any malicious attacks. If the language is not set in Russian, the malware prevents further attacks. Suggesting the criminals behind the malware, may be Russian.  If the Trojan does not find that the device is set to Russian, the Trojan then asks permission to use the accessibility services.  The researcher has said the malware was being deployed through malicious websites disguised as a fake flash player. Granting itself administrator rights, it installs itself as a default SMS app, getting the ability to send and receive SMS, make phone calls, and read contacts. Every time the user presses a button on the keyboard, a screenshot is taken and sent to the malicious server. Unuchek stated the following,

“(Svpeng) was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyze every new version”.

To prevent your devices from malware it important to take safety precautions. Never download apps from third party sources and stick to trusted sources like Google Play Store or the Apple App Store.  Even on the trusted sources, it is important to download applications from only trusted and verified sources. Also, avoid connecting to unsecure Wi-Fi hotspots and do not click on links provided in your messages or email. It is also important and provides extra security if you install a trusted antivirus app to detect and block malware on your devices. Taking these few measurements can help your personal data from getting stolen.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

This Android CryptoMining Malware is Capable of Destroying Android Phones

Cybersecurity researchers have discovered a “jack of all trades” cryptocurrency mining malware...

Read more arrow_forward

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward