Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware, Svpeng-Trojan-Banker.AndroidOS.Svpeng.ae., has been added with a new dangerous addition, a keylogger. Cyber criminals are constantly developing new, stealthier ways to steal sensitive data.

Kaspersky Lab’s Senior malware analyst, Roman Unuchek, claimed Monday to have discovered this latest version of the Android banking Trojan, Svpeng, mid-July.  The new strain of the malware takes advantage Of Android’s Accessibility Services, a feature which allows users to access apps while driving and helps users with disabilities.  This variant of the malware gives criminals the ability to steal the entered text on installed apps on the user’s device, log all keystrokes the user makes, take screenshots, and opens URLs. As well as, disabling user’s the capability to uninstall the Trojan by yielding itself more permissions and rights. Unuchek stated,“It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts, Furthermore, using its newly gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation.” It also prevents the installation and uninstallation of other applications as well.

The malware has not been widely deployed yet, however it has hit 23 countries in Europe -including Russia, Germany, Turkey, Poland, and France. However, affected users from Russia, are not hit too hard. Svpeng is not performing malicious attacks on those devices.

The Trojan, checks the device’s language before acting on any malicious attacks. If the language is not set in Russian, the malware prevents further attacks. Suggesting the criminals behind the malware, may be Russian.  If the Trojan does not find that the device is set to Russian, the Trojan then asks permission to use the accessibility services.  The researcher has said the malware was being deployed through malicious websites disguised as a fake flash player. Granting itself administrator rights, it installs itself as a default SMS app, getting the ability to send and receive SMS, make phone calls, and read contacts. Every time the user presses a button on the keyboard, a screenshot is taken and sent to the malicious server. Unuchek stated the following,

“(Svpeng) was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyze every new version”.

To prevent your devices from malware it important to take safety precautions. Never download apps from third party sources and stick to trusted sources like Google Play Store or the Apple App Store.  Even on the trusted sources, it is important to download applications from only trusted and verified sources. Also, avoid connecting to unsecure Wi-Fi hotspots and do not click on links provided in your messages or email. It is also important and provides extra security if you install a trusted antivirus app to detect and block malware on your devices. Taking these few measurements can help your personal data from getting stolen.