Svpeng Android banking Trojan now comes with keylogger to help hackers steal everything

The Android banking trojan Svpeng, considered to be one of the most proliferate and rapidly evolving malware strains, has added yet another feature to its arsenal. The malware now comes with keylogger features, which exploits accessibility services – an Android feature designed to assist users with disabilities or users to access apps while driving – helping hackers steal virtually all sensitive data on an infected device.

The new variant of the malware can also block any attempt at uninstalling it from an infected device. The banking Trojan also now checks the language of the device. If the language is not Russian, the malware asks the device to use accessibility services, which allows it to grant itself even more permissions and rights.

"Attack data suggests this Trojan is not yet widely deployed. In the space of a week, we observed only a small number of users attacked, but these targets spanned 23 countries," said Kaspersky Lab senior malware analyst Roman Unuchek. "Most attacked users were in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%)."

"It is worth noting that, even though most attacked users are from Russia, this Trojan won't work on devices running the Russian language. This is a standard tactic for Russian cybercriminals looking to evade detection and arrest," Unuchek added.

The malware is now capable of granting itself admin rights, installing itself as a default SMS app and grant itself "dynamic permissions" such as sending and receiving SMS texts, making calls and reading contacts. By using accessibility services, the banking Trojan can steal data from other apps, including names of interface elements, content of the apps and more.

The malware also supports third party keyboards and takes screenshots every time the user presses a button on the keyboard and uploads the images to its malicious server.

"I uncovered a few antivirus apps that the Trojan attempted to block, and some apps with phishing URLs to overlay them. Like most mobile bankers, Svpeng overlays some Google apps to steal credit card details," Unuchek said.

Unuchek said that he also uncovered an encrypted configuration file from the malware C&C server that helped him determine some of Svpeng's targets. He noted that the file contained phishing URLs for PayPal and eBay apps to "steal credentials and URLs for banking apps from different countries."

The malware is currently attacking 14 banking apps in the UK, 10 in Germany, nine in Turkey and Australia, eight in France, seven in Poland and six in Singapore.

"The Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money," Unuchek said. "In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability in the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families."