Our cooperation partners at Kaspersky Lab have discovered a new variant of the mobile banking trojan Svpeng [1].

Using a keylogger function, the modified Trojan intercepts entered text such as banking access data by abusing Android's access services. This gives the Trojan additional rights and can prevent it from being uninstalled. Even devices with the latest software do not protect against the pest. Accessibility Services are user interface extensions to support users who cannot interact with the device. The modified version of Svpeng, discovered by Kaspersky Lab in July 2017, is capable of abusing this system function to intercept text entered into other apps and gain additional rights for itself.

The Trojan is distributed via dangerous websites disguised as a Flash Player app and requests permission to use the access services.

This gives him access to the user interface of other apps and allows him to take screenshots and log data such as banking access data at the touch of a button. In addition, it can give itself administrative rights to the device and cover up other apps, which helps the Trojan do this. to avoid preventing some apps from taking screenshots. Kaspersky Lab experts have identified URLs that target the apps of leading European banks.

The modified Svpeng Trojan can install itself as a standard SMS app and thus send and receive SMS, make calls and read contacts. The malware is also able to block all attempts to remove the device administration rights and thus prevent its own uninstallation. The Trojan's dangerous techniques work even on devices that have the latest Android operating system and all security updates installed.

So far, the number of attacks has been low because the Trojan is not yet widespread. Most attacks come from Russia (29 percent), Germany (27 percent), Turkey (15 percent), Poland (6 percent) and France (3 percent).

“The keylogging function and the abuse of the access services are a new development in the field of mobile banking malware; “We are not surprised that Svpeng is leading these developments,” said Roman Unuchek, Senior Malware Analyst at Kaspersky Lab. “The Svpeng malware family is known for innovation, making it one of the most dangerous families around. It was one of the first to attack SMS banking, using phishing websites to overlay apps to obtain credentials and then block the devices and demand money. This is why it is so important to monitor and analyze each new version of this pest family.”

Kaspersky tips to protect against Svpeng

  • Installing a robust security solution such as Kaspersky Internet Security for Android [2].
  • Before downloading an app, check whether it comes from a reputable developer.
  • Do not download apps that look suspicious or whose source is not verified.
  • Be careful when granting additional rights to apps.

All Kaspersky Lab solutions detect the Trojan as Trojan-Banker.AndroidOS.Svpeng.ae.

Sign up for the Mimikama newsletter

Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )