The authors behind the Android banking malware family Svpeng have
added a keylogger to a recent strain, giving attackers yet another way
to steal sensitive data.
Roman Unuchek, a senior malware analyst with Kaspersky Lab, said
Monday he spotted a new variant of the Trojan in mid-July. Unuchek says
the keylogger takes advantage of Accessibility Services, an
Android feature that assists users with disabilities or assists users
to access apps while driving.
Unuchek specializes in digging up Android malware; earlier this
summer he helped alert Google of two apps in its Play marketplace that
were really Ztorg Trojans and another app that was a rooting Trojan,
Dvmap.
According to the researcher the most recent iteration of Svpeng
checks the device's language. If the language isn't Russian, it asks
the device to use Accessibility Services, something that can subject
the device to a number of dangerous outcomes.
It grants itself device administrator rights, draws itself over
other apps, installs itself as a default SMS app, and grants itself
some dynamic permissions that include the ability to send and receive
SMS, make calls, and read contacts, Unuchek wrote Monday,
Furthermore, using its newly gained abilities the Trojan can block any
attempt to remove device administrator rights thereby preventing its
uninstallation.
Once afforded the ability to access to the inner workings of other
apps on the device, Unuchek says Svpeng can steal text entered on
other apps and take screenshots, information that's promptly fired off
to the attackers' command and control server.
Unuchek said that as part of his research he managed to intercept an
encrypted configuration file from the malware's C&C server. The
file helped him determine some of the sites and services that Svpeng
targets. He claims the file contained phishing URLs for both the PayPal
and eBay mobile apps, along with URLs for banking apps from the UK,
Germany, Turkey, Australia, France, Poland, and Singapore.
The file also contained an overlay for a rewards app not a
financial app: Speedy Rewards, an app distributed by the US gas
station/convenience store chain Speedway.
In addition to including URLs, the file helps the malware receive
the following commands from the server:
- To send SMS
- To collect info (Contacts, installed apps and call logs)
- To collect all SMS from the device
- To open URL
- To start stealing incoming SMS
The most recent version of the Trojan, dubbed
Trojan-Banker.AndroidOS.Svpeng.ae, isn't exactly widely deployed,
Unuchek says. Only a small number of users were attacked over the
course of a week, but it could stretch further. While the malware may
have not hit a lot of users, those that were hit came from all corners
of Europe 23 countries, including Russia, Germany, Turkey, Poland,
and France, according to Unuchek.