An Android banking Trojan known as Svpeng has added phishing capabilities to its arsenal, and researchers have spotted it attacking Russian banking clients in what is perceived to be a dry run before it is adapted for other countries.
“Typically, however, cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally, attacking users in other countries,” said Kaspersky Lab researcher Roman Unuchek on the Securelist blog today.
Unuchek said the Trojan, which spreads via SMS spam messages, has new code that checks the language version of the operating system on the victim’s machine in order to tailor its messaging in the proper language. For now, the malware appears to be interested in U.S., German, Belarusian and Ukrainian victims.
Phishing is the big innovation for Svpeng, also known as Trojan-SMS.AndroidOS.Svpeng. Android users in Russia who are infected will be presented with a phishing window upon launching their banking application. The window asks for the victim’s user name and password which is then sent to a centralized server belonging to the attacker.
Unuchek also said the Trojan tries to steal bank card information by layering a phishing window over Google Play when it’s running on the user’s mobile device. The window prompts the user to enter his credit card or bank card information including expiration data and CVC number, which is also gift-wrapped to the attacker’s command and control server.
The malware is also capable of issuing commands to transfer money from the victim’s account to the attacker. Unuchek said it does so by sending SMS messages to numbers belonging to a pair of Russian banks.
“This way it checks if the cards of these banks are attached to the number of the infected phone, finds out the balance and sends it to the malicious C&C server,” Unuchek wrote. “If the phone is attached to a bank card, commands may arrive from the C&C to transfer money from the user’s bank account to his/her mobile account or to the cybercriminals’ bank account. The cybercriminals may then send this money to their digital wallet and cash it in.”
Svpeng may soon break out beyond the Russian borders; Kaspersky researchers have spotted new behavior in the malware, starting the adaptations based on location.
Unuchek said there have been 50 modifications to Svpeng in the three months the malware has been monitored. The attackers are also adamant about keeping the Trojan active; it uses the deviceAdmin Android tool to prevent security products from deleting it. It also prevents the user from disabling deviceAdmin or a factory reset by exploiting a previously unknown vulnerability in Android, Unuchek said.