New Variants of Svpeng Trojan Equipped with Keylogger
Kaspersky Lab experts have uncovered a new variant of the Svpeng mobile banking Trojan that features keylogging functionality, a technique more commonly associated with targeted threat actors.
The modified Trojan steals entered text such as banking credentials by abusing Android’s accessibility services. This approach also allows the Trojan to grant itself other permissions and rights and to counteract attempts to uninstall it.The researchers warn that simply keeping device software up to date does not protect against this Trojan.
The Trojan is distributed through malicious websites as a fake flash player app. Upon activation, it asks for permission to use accessibility services. By abusing this single feature, it can achieve all of the following: access the UIs of other apps and take screenshots every time a key is pressed on the keypad, logging data such as banking credentials. It can give itself device administrator rights and the ability it to draw over other apps. The ability to overlay is needed because some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan draws its phishing window over the app instead. The researchers uncovered a list of phishing URLs targeting the banking apps of leading European retail banks.
Further, it can install itself as the default SMS app, send and receive SMS, make calls, and read contacts, and block any attempts to remove device administrator rights – thereby preventing its uninstallation. The Trojan’s malicious techniques work even on fully updated devices, which have the latest version of Android OS and all security updates installed.
The Trojan is not yet widely deployed, and overall attack numbers are low. Most of the attacks detected to date are in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%).
Even though most infected users are from Russia, the new variant of Svpeng Trojan doesn’t perform malicious actions on those devices.
According to Kaspersky’s Malware Analaysts, after infecting the device, the Trojan first checks the device’s language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.
Source | Technuter