Malware descriptions

The Android Trojan Svpeng Now Capable of Mobile Phishing

Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.

When a user launches the banking application of one of Russia’s largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim’s login and password for the online banking system:

The data the user enters is sent to the cybercriminals.

Using a similar method, the malicious program tries to steal information about the user’s bank card. The Trojan checks if Google Play is running:

If the user has launched the program, the Trojan displays a window on top of the Google Play window, prompting the user to enter his/her bank card details:

All the data that the user enters is immediately sent to the cybercriminals.

The reader may recall that this very Trojan can also steal money from victims’ bank accounts. Immediately after launching, it sends SMS messages to numbers belonging to two major Russian banks:

This way it checks if the cards of these banks are attached to the number of the infected phone, finds out the balance and sends it to the malicious C&C server. If the phone is attached to a bank card, commands may arrive from the C&C to transfer money from the user’s bank account to his/her mobile account or to the cybercriminals’ bank account. The cybercriminals may then send this money to their digital wallet(s) and cash it in.

Currently, the Trojan is only attacking clients of Russian banks. Typically, however, cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally, attacking users in other countries. Even now, after a telephone restarts, the malware checks the language versions of the operating system. The Trojan appears to be interested in the following countries: the US (Us), Germany (De), Ukraine (Ua) and Belarus (By).

After the check Trojan-SMS.AndroidOS.Svpeng displays a window with a message stating “Loading, please wait…” in the relevant language. Then, if a command comes from the C&C, the Trojan opens a website (usually a phishing site) with an address that the cybercriminals’ command server also provides.

Over the three months of the Trojan’s existence, we have discovered 50 modifications of this malicious program; Kaspersky Internet Security for Android has blocked more than 900 installations of the Trojan. The Trojan spreads via SMS spam.

The Trojan is very careful about protecting itself:

To prevent security products from deleting it, the Trojan still uses the standard Android tool – deviceAdmin.

To prevent the user from disabling DeviceAdmin, the Trojan uses a previously unknown vulnerability in Android. In the same way it tries to prevent resetting of the phone to factory settings.

It should be noted that despite all these tricks, KIS for Android is capable of deleting the malicious program. Thus, a security program is the only way to ensure protection from this cyber thief.

The Android Trojan Svpeng Now Capable of Mobile Phishing

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox