On average a single cybersecurity incident now costs large businesses $861,000. Meanwhile, small and medium businesses (SMB) end up paying $86,500. Most alarmingly, the cost of recovery significantly increases depending on the time of discovery.
Kaspersky Lab experts have uncovered a new variant of the Svpeng mobile banking Trojan that features keylogging functionality, a technique more commonly associated with targeted threat actors. The modified Trojan steals entered text such as banking credentials by abusing Android’s accessibility services. This approach also allows the Trojan to grant itself other permissions and rights and to counteract attempts to uninstall it. The researchers warn that simply keeping device software up to date does not protect against this Trojan.
Accessibility services generally take the form of user interface (UI) enhancements to support users with disabilities or those temporarily unable to interact fully with a device, for example because they are driving. In July 2017, Kaspersky Lab researchers discovered that Svpeng had evolved to abuse this system feature to steal entered text from other apps on the device and grant itself a number of additional rights.
The Trojan is distributed through malicious websites as a fake flash player app. Upon activation, it asks for permission to use accessibility services. By abusing this single feature, it can achieve all of the following: access the UIs of other apps and take screenshots every time a key is pressed on the keypad, logging data such as banking credentials. It can give itself device administrator rights and the ability it to draw over other apps. The ability to overlay is needed because some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan draws its phishing window over the app instead. The researchers uncovered a list of phishing URLs targeting the banking apps of leading European retail banks.
Further, it can install itself as the default SMS app, send and receive SMS, make calls, and read contacts, and block any attempts to remove device administrator rights – thereby preventing its uninstallation. The Trojan’s malicious techniques work even on fully updated devices, which have the latest version of Android OS and all security updates installed.
The Trojan is not yet widely deployed, and overall attack numbers are low. Most of the attacks detected to date are in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%). These include phishing attacks:
“The keylogging and accessibility service abuse are a new development for mobile banking malware and we are not surprised to find Svpeng leading the way. The Svpeng malware family is well-known for its innovation, making it one of the most dangerous families around. It was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyse every new version,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
Kaspersky Lab advises users to install a reliable security solution, such as Kaspersky Internet Security for Android on their device, to always check that apps have been created by a reputable developer and not to download anything that looks at all suspicious or whose source cannot be verified. Last but not least, to take care when granting apps additional privileges.
To learn more about the latest modification of Svpeng, read the blog on Securelist.com.
All Kaspersky Lab products detect this Trojan as Trojan-Banker.AndroidOS.Svpeng.ae.
Articles related to Virus News
Kaspersky Lab experts have discovered a new malicious app on the Google Play store: “Guide for Pokémon Go”, capable of seizing root access rights on Android smartphones and using that to install/uninstall apps and display unsolicited ads. The app has been downloaded more than 500,000 times, with at least 6,000 successful infections. Kaspersky Lab has reported the Trojan to Google and the app has been removed from Google Play.
Kiosks and Speed Cameras in a Smart City: Researchers Find Multiple Smart Components of the Modern City Vulnerable to Cyber Attacks
Kaspersky Lab researchers examined a number of digital kiosks and interactive terminals used in modern cities for different purposes - from paying for different services through to entertainment – and discovered that a lot of them contain vulnerabilities that can expose private user data and be used to spy or spread malicious code.