The authors behind the Android banking malware family Svpeng have added a keylogger to a recent strain, giving attackers yet another way to steal sensitive data.
Roman Unuchek, a senior malware analyst with Kaspersky Lab, said Monday he spotted a new variant of the Trojan in mid-July. Unuchek says the keylogger takes advantage of Accessibility Services, an Android feature that assists users with disabilities or assists users access apps while driving.
Unuchek specializes in digging up Android malware; earlier this summer he helped alert Google of two apps in its Play marketplace that were really Ztorg Trojans and another app that was a rooting Trojan, Dvmap.
According to the researcher the most recent iteration of Svpeng checks the device’s language. If the language isn’t Russian, it asks the device to use Accessibility Services, something that can subject the device to a number of dangerous outcomes.
“It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts,” Unuchek wrote Monday, “Furthermore, using its newly gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation.”
Once afforded the ability to access to the inner workings of other apps on the device, Unuchek says Svpeng can steal text entered on other apps and take screenshots, information that’s promptly fired off to the attackers’ command and control server.
Unuchek said that as part of his research he managed to intercept an encrypted configuration file from the malware’s C&C server. The file helped him determine some of the sites and services that Svpeng targets. He claims the file contained phishing URLs for both the PayPal and eBay mobile apps, along with URLs for banking apps from the UK, Germany, Turkey, Australia, France, Poland, and Singapore.
The file also contained an overlay for a rewards app – not a financial app: Speedy Rewards, an app distributed by the US gas station/convenience store chain Speedway.
In addition to including URLs, the file helps the malware receive the following commands from the server:
- To send SMS
- To collect info (Contacts, installed apps and call logs)
- To collect all SMS from the device
- To open URL
- To start stealing incoming SMS
The most recent version of the Trojan, dubbed Trojan-Banker.AndroidOS.Svpeng.ae, isn’t exactly widely deployed, Unuchek says. Only a small number of users were attacked over the course of a week, but it could stretch further. While the malware may have not hit a lot of users, those that were hit came from all corners of Europe – 23 countries, including Russia, Germany, Turkey, Poland, and France, according to Unuchek.
Researchers with Kaspersky Lab, which first identified the malware back in 2013, said last month Svpeng and another family, Fusob, were tied to a spike in mobile ransomware attacks during the first quarter of this year.
The researcher says the version of Svpeng he spotted in July was being distributed through malicious websites disguised as a fake Flash Player.
The main capability of Svpeng, which was initially spread via SMS messages in 2013, was phishing. Users hit by the malware were displayed a phishing window after opening up their banking app of choice. The window would ask for the users’ name and password, information that was ultimately sent back to an attacker’s server. The malware was modified with a ransomware component that demanded $500 from users fairly early on, back in the spring of 2014. The ransomware eventually evolved, telling users their devices had been locked by the FBI because they were used to visit websites containing pornography. Users would then have to pay a lesser fee, $200, to unlock the device.
Unuchek said Monday he wasn’t surprised the attackers behind Svpeng had begun embracing keyloggers and abusing Android’s accessibility functionality.
“[Svpeng] was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyze every new version,” Unuchek said.