Our cooperation partners at Kaspersky Lab have discovered a new variant of the mobile banking trojan Svpeng [1].
Using a keylogger function, the modified Trojan intercepts entered text such as banking access data by abusing Android's access services. This gives the Trojan additional rights and can prevent it from being uninstalled. Even devices with the latest software do not protect against the pest. Accessibility Services are user interface extensions to support users who cannot interact with the device. The modified version of Svpeng, discovered by Kaspersky Lab in July 2017, is capable of abusing this system function to intercept text entered into other apps and gain additional rights for itself.
The Trojan is distributed via dangerous websites disguised as a Flash Player app and requests permission to use the access services.
The modified Svpeng Trojan can install itself as a standard SMS app and thus send and receive SMS, make calls and read contacts. The malware is also able to block all attempts to remove the device administration rights and thus prevent its own uninstallation. The Trojan's dangerous techniques work even on devices that have the latest Android operating system and all security updates installed.
So far, the number of attacks has been low because the Trojan is not yet widespread. Most attacks come from Russia (29 percent), Germany (27 percent), Turkey (15 percent), Poland (6 percent) and France (3 percent).
“The keylogging function and the abuse of the access services are a new development in the field of mobile banking malware; “We are not surprised that Svpeng is leading these developments,” said Roman Unuchek, Senior Malware Analyst at Kaspersky Lab. “The Svpeng malware family is known for innovation, making it one of the most dangerous families around. It was one of the first to attack SMS banking, using phishing websites to overlay apps to obtain credentials and then block the devices and demand money. This is why it is so important to monitor and analyze each new version of this pest family.”
Kaspersky tips to protect against Svpeng
- Installing a robust security solution such as Kaspersky Internet Security for Android [2].
- Before downloading an app, check whether it comes from a reputable developer.
- Do not download apps that look suspicious or whose source is not verified.
- Be careful when granting additional rights to apps.
All Kaspersky Lab solutions detect the Trojan as Trojan-Banker.AndroidOS.Svpeng.ae.
- More information about the new modification of Svpeng can be found at https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
- [1] https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
- [2] https://www.kaspersky.de/android-security
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )