A new version of the Svpeng Android banking trojan has started making victims during the past month, and at the origin of this sudden surge in activity is a criminal selling a new and improved version of Svpeng on a Russian underground hacking forum.
To provide some context, Svpeng is one of the oldest Android malware families and a constant innovator on the Android malware scene.
Security researchers first spotted Svpeng in 2013 and during its evolution, the trojan was the first malware to use various techniques, such as:
During mid-July this year, Svpeng added a new notch on its belt of innovations. According to security researchers from Dr.Web, Kaspersky Lab, and Sophos, Svpeng became the first banking trojan to add keylogger features, now being capable of recording everything users type on their devices, via built-in or third-party keyboard apps.
The way this happens is via the native Android Accessibility feature, also abused by many other malware families. All Svpeng needs is to trick users into granting a malicious app access to this feature, which it later uses to add its admin user to the victim's phone. This user, in turn, allows Svpeng to operate undisturbed behind the user's back.
Currently, this trojan is spread disguised as an Android version of the Adobe Flash application. In the past, Svpeng heavily relied on mobile malvertising, some of these downloading the trojan on user's phones without even needing user interaction [1, 2].
The current campaign targets users all over the world. Researchers say they spotted Svpeng versions containing configurations that allow it to steal login credentials for 14 UK banks, 10 German banks, 9 Turkish banks, 9 Australian banks, 8 French banks, 7 Polish banks, and 6 Singapore banks.
Kaspersky Lab notes that despite this, most infected users were from Russia, but Svpeng was configured to avoid execution on these devices, a classic sign it was created by a local criminal who wants to avoid getting on the radar of local authorities.
In the past, Svpeng heavily targeted and infected Russian victims. In August 2015, Russian authorities arrested a man on suspicion of creating the Svpeng banking trojan, but new versions continued to come out after his arrest.
According to threat intelligence company SenseCy, someone named CryEye is peddling this new Svpeng version with a built-in keylogger on Russian-speaking hacking forums.
The good news is that for reasons unknown, "neither the seller nor his advertisement have gained trust among other members of the forum where it was posted," according to SenseCy.
One reason might be the fact that the seller is advertising this Svpeng version as CryEye, a new trojan. Potential buyers were quick to catch on that this is, in reality, a version of Svpeng, for which most of today's mobile security antivirus apps can detect and neutralize, mainly due to its long history.