Just when you thought the first generation family of banking malware has faded away, it returns like a bad zombie movie. Kaspersky Lab’s Roman Unuchek, a senior malware analyst, recently reported on the company’s blog that the Svpeng malware is “going viral” at this writing. Svpeng initially appeared in 2013 to steal banking details from Android device users.
Within a single week svpeng has spread across 23 countries, including: Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%).
The latest variation of the trojan software exploits the Android operating system’s (OS) Accessibility Services. Trojans pose as one type of software to an operating system, but actually have a different, malevolent nature.
The Accessibility Services permit drivers and users with disabilities access to an Android machine even though they may not be able to fully interact with the device.
The malware is uncompromising. Once downloaded from an unsanctioned website as a (fake) flashplayer, the virus explicitly asks users for access to the Accessibility Services function. Once the user grants permission, the hackers have administrator-level privileges to the device.
Administrators can choose what overlay screens to use, send and receive SMS text messages, make phone calls and read contacts. Overlay screens replace original screens with windows that look legitimate, but are actually traps to capture user data.
The malware uses overlay screens to steal passwords and other user credentials through keylogging — making a record of the keys a user touches on his device.
Svpeng also takes a screenshot of device contents each time the user presses a key.
The malware then sends the screenshot and any other material hijacked from the device back to a Command-and-Control server operated by the hackers for further exploitation.
That includes: contacts, installed apps, call logs and SMS texts. SMS is typically the way banks send verification codes to users so customers can access their accounts online.
Unucheck cites in his blog the specific numbers of banking apps that have been compromised:
- UK – 14 attacked banking apps;
- Germany – 10 attacked banking apps;
- Turkey – 9 attacked banking apps;
- Australia – 9 attacked banking apps;
- France – 8 attacked banking apps;
- Poland – 7 attacked banking apps; and
- Singapore – 6 attacked banking apps.
Unucheck suggested the origin of the malware is Russia. The first thing the program apparently does is to check if the language of the infected device is Russian. If it is, then the program halts activity. If it is not, it makes the call to the user for entry to the Accessibility Services.
Unfortunately, svpeng is tenacious. As yet, users cannot be sure they’ve cleared out the malware after using antivirus software. Svpeng is able to block efforts to remove admin rights so a user can uninstall the program.
How Application Shielding Can Guard Against Svpeng
Application shielding provides a critical layer of cyber security protection to mobile apps. Most antivirus software patrols far from where the most harm can be done to users – right at the application level. Application shielding technology, though, acts like body armor for apps from the inside to ward off and warn about attacks.
With Promon SHIELD™ user credentials, such as usernames, password, PINs and other inputs are safe. Malware techniques are blocked and cannot spy or fetch user inputs using keylogging- screenshots or screenreader-techniques.
For instance, application shielding will alert when an unauthorized service is attempting to use a non-standard key capture function and block it. Also, shielding tools will warn of diversions in the natural flow of application processes. Further, adequate shielding will warn when malware is attempting to change the very nature of services on a device, as in the case of svpeng efforts to subvert Android Accessibility Services.
While it’s still early days for the latest incarnation of svpeng to plague yet larger numbers of Android devices, investment in application shielding will pay dividends for bankers and banking customers far into the future.