Malware descriptions

The Android Trojan Svpeng Now Capable of Mobile Phishing

Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.

When a user launches the banking application of one of Russia’s largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim’s login and password for the online banking system:

The data the user enters is sent to the cybercriminals.

Using a similar method, the malicious program tries to steal information about the user’s bank card. The Trojan checks if Google Play is running:

If the user has launched the program, the Trojan displays a window on top of the Google Play window, prompting the user to enter his/her bank card details:

All the data that the user enters is immediately sent to the cybercriminals.

The reader may recall that this very Trojan can also steal money from victims’ bank accounts. Immediately after launching, it sends SMS messages to numbers belonging to two major Russian banks:

This way it checks if the cards of these banks are attached to the number of the infected phone, finds out the balance and sends it to the malicious C&C server. If the phone is attached to a bank card, commands may arrive from the C&C to transfer money from the user’s bank account to his/her mobile account or to the cybercriminals’ bank account. The cybercriminals may then send this money to their digital wallet(s) and cash it in.

Currently, the Trojan is only attacking clients of Russian banks. Typically, however, cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally, attacking users in other countries. Even now, after a telephone restarts, the malware checks the language versions of the operating system. The Trojan appears to be interested in the following countries: the US (Us), Germany (De), Ukraine (Ua) and Belarus (By).

After the check Trojan-SMS.AndroidOS.Svpeng displays a window with a message stating “Loading, please wait…” in the relevant language. Then, if a command comes from the C&C, the Trojan opens a website (usually a phishing site) with an address that the cybercriminals’ command server also provides.

Over the three months of the Trojan’s existence, we have discovered 50 modifications of this malicious program; Kaspersky Internet Security for Android has blocked more than 900 installations of the Trojan. The Trojan spreads via SMS spam.

The Trojan is very careful about protecting itself:

To prevent security products from deleting it, the Trojan still uses the standard Android tool – deviceAdmin.

To prevent the user from disabling DeviceAdmin, the Trojan uses a previously unknown vulnerability in Android. In the same way it tries to prevent resetting of the phone to factory settings.

It should be noted that despite all these tricks, KIS for Android is capable of deleting the malicious program. Thus, a security program is the only way to ensure protection from this cyber thief.

The Android Trojan Svpeng Now Capable of Mobile Phishing

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox