One of the most notorious banking Trojans, Svpeng, owns its reputation to its regular updates that make sure the malware stays fresh and keep infecting victims – and it has just been upgraded once again.
The update includes a new keylogger functionality that allows it to steal any text entered on the phone, so usernames and passwords, too. The way the Trojan does this is by exploiting accessibility services, which is a function found on Android that is designed to help people with disabilities to use their phones.
Svpeng found a way to abuse this feature, making it help the malware steal text entered in the phone’s apps, open URLs and read text messages. Svpeng has also made sure it doesn’t get removed from the phone by giving itself additional permissions and rights.
Researchers at Kaspersky Lab were the ones who discovered the latest version of the malware and found out that it is being spread through malicious websites as a fake Flash player. They say it compromises even fully up-to-date versions of Android.
When the malware gets on the device, it asks permission for accessibility services and therefore giving itself administrator rights, becoming a default app SMS messaging.
Svpeng then has the ability to send texts, receive them, read contacts and make calls, all with the additional ability to prevent being removed.
With this malicious but smart use of accessibility services, malware is able to access the UI of any other apps on the phone and use the data found on them. It also takes screenshots every time a button is pushed on a keyboard which is then uploaded to a C&C server.
The majority of banking apps have the feature that doesn’t allow screenshots to be taken while the apps are in use, but the malware manages to get by that. Again using accessibility services, it finds out the banking app being used and gives a fake phishing link.
If a user enters their details in these overlays, their banking details will be in hands of hackers, resulting in financial losses, frauds, and identity theft.
Researchers have said that the number of Svpeng attacks was low, but the attacks are spread worldwide, across 23 countries. Most of the attacks happened to Russian users, even though the malware doesn’t attack devices set to Russian.
It is still unknown who stands behind the malware, but researchers from Kaspersky Lab believe this is a standard tactic for Russian cyber criminals that don’t want to get detected and arrested – Russian authorities tend to let hacking and cyber crime pass as long as it isn’t targeting the country itself.
What is known is that the group behind Svpeng is professional and constantly updates its malware to hit new targets and avoid detection.
The best way for Android users to avoid becoming a victim of Svpeng is by not downloading apps from unknown sources.