Kaspersky Lab experts have uncovered a new variant of the Svpeng mobile banking Trojan that features keylogging functionality, a technique more commonly associated with targeted threat actors. The modified Trojan steals entered text such as banking credentials by abusing Android’s accessibility services. This approach also allows the Trojan to grant itself other permissions and rights and to counteract attempts to uninstall it. The researchers warn that simply keeping device software up to date does not protect against this Trojan.
Accessibility services generally take the form of user interface (UI) enhancements to support users with disabilities or those temporarily unable to interact fully with a device, for example because they are driving. In July 2017, Kaspersky Lab researchers discovered that Svpeng had evolved to abuse this system feature to steal entered text from other apps on the device and grant itself a number of additional rights.
The Trojan is distributed through malicious websites as a fake flash player app. Upon activation, it asks for permission to use accessibility services. By abusing this single feature, it can achieve all of the following: access the UIs of other apps and take screenshots every time a key is pressed on the keypad, logging data such as banking credentials. It can give itself device administrator rights and the ability it to draw over other apps. The ability to overlay is needed because some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan draws its phishing window over the app instead. The researchers uncovered a list of phishing URLs targeting the banking apps of leading European retail banks.
Further, it can install itself as the default SMS app, send and receive SMS, make calls, and read contacts, and block any attempts to remove device administrator rights – thereby preventing its uninstallation. The Trojan’s malicious techniques work even on fully updated devices, which have the latest version of Android OS and all security updates installed.
The Trojan is not yet widely deployed, and overall attack numbers are low. Most of the attacks detected to date are in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%). These include phishing attacks:
“The keylogging and accessibility service abuse are a new development for mobile banking malware and we are not surprised to find Svpeng leading the way. The Svpeng malware family is well-known for its innovation, making it one of the most dangerous families around. It was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyse every new version,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Kaspersky Lab advises users to install a reliable security solution, such as Kaspersky Internet Security for Android on their device, to always check that apps have been created by a reputable developer and not to download anything that looks at all suspicious or whose source cannot be verified. Last but not least, to take care when granting apps additional privileges.
To learn more about the latest modification of Svpeng, read the blog on Securelist.com.
All Kaspersky Lab products detect this Trojan as Trojan-Banker.AndroidOS.Svpeng.ae.