Author: Catalin Cimpanu / Source: BleepingComputer
A new version of the Svpeng Android banking trojan has started making victims during the past month, and at the origin of this sudden surge in activity is a criminal selling a new and improved version of Svpeng on a Russian underground hacking forum.
To provide some context, Svpeng is one of the oldest Android malware families and a constant innovator on the Android malware scene.
Security researchers first spotted Svpeng in 2013 and during its evolution, the trojan was the first malware to use various techniques, such as:
⇾ Stealing money from people’s bank accounts via SMS-based account management services [source] ⇾ Overlaying fake login screens on top of legitimate banking apps [source] ⇾ Change PIN, block devices, and ask for money (first banking trojan to add ransomware-like features) [source, source]
Svpeng becomes first banking trojan to use a keylogger
During mid-July this year, Svpeng added a new notch on its belt of innovations. According to security researchers from Dr.Web, Kaspersky Lab, and Sophos, Svpeng became the first banking trojan to add keylogger features, now being capable of recording everything users type on their devices, via built-in or third-party keyboard apps.
The way this happens is via the native Android Accessibility feature, also abused by many other malware families. All Svpeng needs is to trick users into granting a malicious app access to this feature, which it later uses to add its admin user to the victim’s phone. This user, in turn, allows Svpeng to operate undisturbed behind the user’s back.
Currently, this trojan is spread disguised as an Android version of the Adobe Flash application. In the past, Svpeng heavily relied on mobile malvertising, some of these downloading the trojan on user’s phones without even needing user interaction [1, 2].
The current campaign targets users all over the world. Researchers say they spotted Svpeng versions containing configurations that allow it to steal login credentials for 14 UK banks, 10 German banks, 9 Turkish banks, 9 Australian banks, 8 French banks, 7 Polish banks, and 6 Singapore banks.
New Svpeng version does not target Russians
Kaspersky Lab notes that despite this, most infected users were from Russia, but Svpeng was configured to avoid execution on these devices, a classic sign it was created by a local criminal who wants to avoid getting on the radar of local authorities.
In the past, Svpeng heavily targeted and infected Russian victims. In August 2015, Russian authorities arrested a man on suspicion of creating the Svpeng banking trojan, but new versions continued to come out after…
Click here to read more