Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.
When a user launches the banking application of one of Russia's largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim's login and password for the online banking system:
The data the user enters is sent to the cybercriminals.
Using a similar method, the malicious program tries to steal information about the user's bank card. The Trojan checks if Google Play is running:
If the user has launched the program, the Trojan displays a window on top of the Google Play window, prompting the user to enter his/her bank card details:
All the data that the user enters is immediately sent to the cybercriminals.
The reader may recall that this very Trojan can also steal money from victims' bank accounts. Immediately after launching, it sends SMS messages to numbers belonging to two major Russian banks:
This way it checks if the cards of these banks are attached to the number of the infected phone, finds out the balance and sends it to the malicious C&C server. If the phone is attached to a bank card, commands may arrive from the C&C to transfer money from the user's bank account to his/her mobile account or to the cybercriminals' bank account. The cybercriminals may then send this money to their digital wallet(s) and cash it in.
Currently, the Trojan is only attacking clients of Russian banks. Typically, however, cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally, attacking users in other countries. Even now, after a telephone restarts, the malware checks the language versions of the operating system. The Trojan appears to be interested in the following countries: the US (Us), Germany (De), Ukraine (Ua) and Belarus (By).
After the check Trojan-SMS.AndroidOS.Svpeng displays a window with a message stating "Loading, please wait..." in the relevant language. Then, if a command comes from the C&C, the Trojan opens a website (usually a phishing site) with an address that the cybercriminals' command server also provides.
Over the three months of the Trojan's existence, we have discovered 50 modifications of this malicious program; Kaspersky Internet Security for Android has blocked more than 900 installations of the Trojan. The Trojan spreads via SMS spam.
The Trojan is very careful about protecting itself:
To prevent security products from deleting it, the Trojan still uses the standard Android tool - deviceAdmin.
To prevent the user from disabling DeviceAdmin, the Trojan uses a previously unknown vulnerability in Android. In the same way it tries to prevent resetting of the phone to factory settings.
It should be noted that despite all these tricks, KIS for Android is capable of deleting the malicious program. Thus, a security program is the only way to ensure protection from this cyber thief.