There’s no doubting it. Mobile threats around the globe are evolving. Korea was recently targeted by an Android trojan masquerading as the Google Play app that overwrites legitimate banking apps with malicious fakes poised to steal the user’s banking credentials. Over in Spain, an Android trojan has stepped in, trying to pass itself off as an official mobile app from the Spanish bank, Banca March.
Kaspersky Lab reports that an improved version of the Android trojan Svpeng is now hitting Russian mobile devices as well. To start, the trojan spreads via SMS spam using an old trick — disguising itself as Adobe Flash. Mobile users unfortunate enough to answer the text are then met with automated attempts to leverage the users’ texts to check and deplete their bank account balances. It accomplishes this by first sending an SMS text query to several Russian banks. Should a bank account be associated with the victim’s phone number, the trojan will then receive this account’s balance which it will then forward to its command and control (C&C) server. The C&C server can then easily reply with commands to have Svpeng siphon money from the victim’s bank account, via SMS, into the attacker’s own account(s). Kaspersky highlights this bit of code to illustrate the capability:
The “improvements” don’t stop there. This version incorporates bank phishing by attempting to harvest the victim’s financial details by overlaying legitimate-appearing windows onto two widely popular apps. Both Google Play and one of Russia’s largest financial institutions are targeted. In the case of the Russian bank, a fake login screen is presented to the user, but any credentials entered will be quickly shuttled off to a C&C server. Similarly, victims opening their Google Play app are prompted to enter their credit/debit card information which is unknowingly sent off to the culprits.
Should the victim or installed security software become aware of the ruse, the trojan has eloquent ways of deterring removal:
Evermore slippery, Svpeng uses DeviceAdmin (a default Android service) to hinder deletion by other software, while an Android zero-day stops the victim from manually disabling DeviceAdmin or resetting the phone back to factory default.
A language check upon reboot may hint at cybercriminals desire to expand into regions outside of Russia. Despite being isolated to Russian targets and banks, Svpeng also caters to Android devices running in the US, Ukraine, Germany, and Belarus. For devices located in any of the aforementioned countries, the Trojan presents a loading message in the relevant language. The trojan can also be used to forcibly open a website provided by the C&C. Theoretically, this could be used in concert with the country information to push malicious, region-targeted content and phishing sites. With this concept and explicit frame work laid out in detail, it’s only a matter of time before someone extends it beyond the borders of Russia.
We’ve seen the affects of similar banking Trojans in the past. Back in late 2012, a joint PC-and-mobile piece of malware “eurograbber” used clever maneuvering and social engineering to infect users’ PCs and mobile devices to intercept bank-related SMS. These SMS were intended to be two-factor authentication SMS texts from the banks, but were quickly swept up by the trojan. This elaborate technique netted the attackers more than 36M euro (roughly 46M USD) from over 30 thousand retail and corporate accounts. With F-Secure reporting that the volume of new mobile malware families and variants rose by 63% in 2012, mobile malware like Svpeng leveraging zero-days, and creative uses like eurograbber, it’s easy to assume that mobile malware writers around the globe are just getting started.