A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, we’re told.
The Svpeng software nasty has been around for four years, and its creator was caught and thrown in the clink in 2015. However, the malware keeps on evolving, thanks to other crooks trying their hand with the code.
Researchers at Kaspersky have now found a strain that abuses Android’s accessibility services to place an invisible overlay on top of legit banking apps installed on the device. This covert layer intercepts touchscreen keypresses to the underlying application.
In effect, it acts like a key-logger, picking up a victim’s login details as they access their banking account. With this information, and access to text messages, crooks controlling the spyware can siphon off these sensitive details and drain accounts to their cold hearts’ content.
The malware is disguised as a fake Flash player download, and marks are lured into installing the malicious program, as a .apk, from dodgy websites. It doesn’t matter if you’re running the latest version of Android and the latest security patches; the evil app uses the granted accessibility privilege to do its dirty work, rather than rely on exploiting software vulnerabilities. The trick is to not install bad programs from untrusted websites, of course.
“The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake Flash player,” said Roman Unuchek, malware analyst at Kaspersky Lab.
“Its malicious techniques work even on fully updated devices with the latest Android version and all security updates installed. By accessing only one system feature, this Trojan can gain all necessary additional rights and steal lots of data.”
Once the user is tricked into installing the malware, it asks for full permission to Android accessibility services – which should be a red flag for savvy users. Once that permission has been given, it’s game over. According to Kaspersky:
It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts. Furthermore, using its newly-gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation. It is interesting that in doing so it also blocks any attempt to add or remove device administrator rights for any other app too.
Once this Invisible Man-like nasty is in place, it envelops 14 banking apps in the UK, 10 in Germany, nine in each of Turkey and Australia, eight in France, seven in Poland, and six in Singapore, plus the rewards app Speedway. It also connects to a remote command-and-control center for further instructions from its masterminds. It can be ordered to send text messages; hand over texts, contacts, lists of installed apps, and call logs; and start intercepting incoming SMSes.
It can also send back screenshots of the device every time the keyboard is touched – and it supports a few third-party keyboards as well as the standard Android one.
The only way to be completely safe against the malware – other than just avoid downloading and installing random .apks from websites – is to have your smartphone set on the Russian language. If Svpeng detects it’s on a Russian phone, it deactivates and deletes itself – a move Unuchek said was increasingly popular with Russian malware writers looking to avoid prosecution on their home turf. ®