Security researchers have discovered that one of Android’s most dangerous Mobile banking Trojan family has been modified to add a keylogger for its recent stump, giving attackers another way to steal sensitive information to victims.
Kaspersky Lab’s old malware analyst Roman Unuchek has discovered a new variant of the famous Android trojan, called Svpeng, in the middle of last month with new keylogger functionality, taking advantage of Android’s accessibility.
Mobile Banking Trojan accessibility services exploits’ to add Keylogger
Yes, the keylogger added in the new version of Svpeng Advantage Accessibility Services – an Android feature that offers alternatives for users to interact with their smartphones.
Also Read: A Hacker Hijacked Chrome Extension To Push Malware
This change makes the Trojan Svpeng not only can steal the text entered from other applications installed on the device and record all the keystrokes but also to grant more permissions and rights to prevent the victims from uninstalling the Trojan.
In November last year, the bank Svpeng bank has infected more than 318,000 Android devices worldwide over a period of two months with the help of Google ads that have been misused to propagate malicious mobile banking Trojan.
More than a month ago, researchers also found another attack that takes advantage of Android’s accessibility services, called Attack Layer and Dagger, which allows hackers to take complete silent control of infected devices and steal private data.
If you are from Russia, you are safe!
Although the new mobile banking trojan variant Svpeng is not yet widespread, mobile banking Trojan has already affected users in 23 countries over a week, including Russia, Germany, Turkey, Poland and France.
Also Read: Apple Remove VPN Apps From China App Store
But what is noteworthy is that, although most infected users from Russia, the new Svpeng variant of Trojan does not perform malicious actions on the device.
According to Unuchek, after the device infection, the Trojan first checks the language of the device. If the language is Russian, malware avoids the most harmful behavior, suggesting that the criminal gang behind this malware is Russian, which avoids violating Russian laws by local hackers.
Just like the Mobile Banking Trojan ‘Svpeng’ steals your money
Unuchek says the latest version of Svpeng notes that in July is distributed through malicious websites posing as a fake Flash Player.
Once installed, as I said, the first malware controls the language of the device and, if the language is not Russian, it asks the machine to use the accessibility services, which opens the infected device to several dangerous attacks.
With access to service accessibility, the Trojan provides device administrator rights, displays an overlay on top of legitimate applications, installs itself as a default SMS application, and gives some dynamic permissions, such as the ability to make calls, Send and receive SMS and read contacts.
In addition, the use of its newly acquired administrative ability, the Trojan can block all attempts of the victims to remove the administrator of the device, thus avoiding the uninstallation of malicious software.
Also Read: Beware! Apple Users, Undetectable Malware Targeting Mac Computers
The use of accessibility services, Svpeng has access to the internal mechanisms of other applications on the device, allowing the Trojan to steal the text entered in other applications and make screenshots each time the victim presses a button On the keyboard and other available data.
“Some applications, especially banking, do not fail to take screenshots when it is at the top. In these cases, the Trojan has another option to steal data: drawing its own window in the application of phishing attack,” says Unuchek.
“It’s interesting that to find out which app is on top, it also uses accessibility services.”
All the stolen information is then loaded into the attack command and control server (C & C). As part of its research, Unuchek says it is able to intercept an encryption configuration file from the malware server C & C.
The decryption of the file helped to discover some of the websites and applications that Svpeng assigned, as well as help, get a URL with phishing pages for mobile applications from PayPal and eBay, as well as links to UK banking applications, Turkey, Australia, France, Poland, and Singapore.
In addition to the URL, the file also allows malicious software to receive multiple commands from the C & C server, which includes SMS, gathering information such as contacts, installed applications and call logs, open the malicious link, Collection of all SMS from the device and steal SMS data arrival.
The Evolution of ‘Svpeng’ Mobile Banking Trojan Development for Android
Kaspersky Lab researchers have discovered the first mobile banking Trojan Svpeng Android in 2013, with the primary capabilities: phishing.
Also Read: 11 Best Ways To Become A Better Listener
In 2014, the malware has been modified to add a ransomware component that has blocked the victim’s device (FBI, since they have visited sites containing pornography) and required $ 500 of users.
The malware program was among the first to start attacking SMS banking, using phishing web pages to superimpose other applications in an effort to obtain bank details and to block devices and ask for money.
In 2016, cyber criminals actively distribute Svpeng through Google AdSense using a vulnerability in the Chrome web browser and now abuse the accessibility services, making it probably the most dangerous Svpeng the mobile malware family to date Which can steal almost anything: from Facebook credentials to your credit cards and bank accounts.
How to protect your smartphone from hackers
With accessibility services only, this mobile banking Trojan acquires all the rights and permissions necessary to steal a large amount of data from infected devices.
The ‘Svpeng’ of mobile banking trojan techniques works even on Android devices fully updated with the latest version of Android and all security updates installed, so that small user can do to protect themselves.
There are standard safety measures that must be followed to remain unchanged:
Always alert to trusted sources like the Google Play Store and the Apple App Store, but only from trusted and verified developers.
- It is important to check the permissions of the application before installing applications. If any application is asking for more than expected, just do not install it.
- Do not download applications from third-party sources, such as malware often expands through non-trusted third parties.
- Avoid Wi-Fi and unprotected unknown points and have Wi-Fi when not in use.
- Never click on the links provided in an SMS, MMS or email. Even if the email looks legitimate, go directly to the code website and check for updates.
- Install a good antivirus that can detect and block malware before they can infect the device and always keep the application updated.