Svpeng Android Banking Trojan Tweaked with Keylogger Feature

With every passing day and every single hack attack, hackers are becoming more innovative in their tricks and apt at their social engineering skills. Now their attacks are difficult to detect, and they are adopting stealthy techniques lately. The latest Android Banking Trojan is a clear proof of this.

According to Kaspersky Labs’ security researchers, most dangerous android banking Trojan family of all namely Svpeng has now been equipped with Keylogger feature. This has provided cyber criminals easy access to sensitive data logs.

Senior malware analyst at Kaspersky Lab, Roman Unuchek identified a new and highly dangerous version of the already harmful Svpeng, an Android banking Trojan, which is equipped with keylogging capability. The malware uses Android’s Accessibility Services for adding Keylogger. It is a service from android that provides users substitute methods of interacting with their devices.

The addition of keylogger has made Svpeng Trojan extremely powerful because it can now steal entered text from all the apps installed on the Android device as well as logging all the keystrokes. As if this was not enough, it grabs more permissions and rights to prevent uninstallation of the malware.

This version of Svpeng is although not deployed widely users in 23 countries including Russia, Poland, Germany, Turkey, and France have already clicked on it. However, Russian users are not at all attacked. Unuchek highlighted a key fact that when the device is infected, the malware identifies the language of the device and if it is Russian it does not perform any malicious acts. This hints on the involvement of Russian threat actors in this latest malware spree.

The Trojan is being distributed via infected websites, which are disguised as Flash Player. When the device is infected, and language checked, the malware exploited Accessibility Services to launch dangerous attacks. The malware grabs admin rights, hacks legit apps for displaying an overlay, grants itself dynamic permissions like making calls or sending/receiving messages, gets installed as the default app for SMS and views contact details. It also blocks all attempts from the victim for removing admin rights, and this is how it prevents its uninstallation.

It also steals the text entered on apps and takes screenshots whenever the victim presses a key on the keyboard. As Unuchek said:

“Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app.”

The information is uploaded to the C&C server of the attacker.

The further probe by Unuchek revealed the websites and apps targeted by Svpeng, which included banking apps from the UK, France, Turkey, Singapore, Poland and Australia.

If you want your device to stay protected, always download apps from trusted websites and avoid downloading unnecessary apps. Choose apps from verified developers only and verify app permissions before installing them. Avoid downloading apps from third party sources and install reliable, updated version of antivirus.

Related Posts