Android users.. keep alert ! New malware found

ABUSING THIS SYSTEM FEATURE ALLOWS THE TROJAN NOT ONLY TO STEAL ENTERED TEXT FROM OTHER APPS INSTALLED ON THE DEVICE, BUT ALSO TO GRANT ITSELF MORE PERMISSIONS AND RIGHTS, AND TO COUNTERACT ATTEMPTS TO UNINSTALL THE TROJAN

Android users beware, one of the most dangerous banking malware Svpeng has received an update. According to Russian security firm Kaspersky, it has found a new modification of the mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae.

“In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services,”

Android’s accessibility services are aimed to helps users with disabilities better navigate their devices and apps.

“Abusing this system feature allows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more permissions and rights, and to counteract attempts to uninstall the Trojan.”

Svpeng also overlays some Google apps to steal credit card details.

However, fortunately data suggests that the latest version of malware has still not spread widespread.

As per Kaspersky, during the past week, it observed only a small number of such attacks. However, the targets spanned 23 countries. Most attacked users were in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%).
Svpeng malware was first detected in the year 2013. It is among the first malware to launch attacks on SMS banking, use phishing pages to overlay other apps to steal credentials, and block devices and demand money.

 

In 2016, cybercriminals are said to be actively distributing Svpeng through AdSense using a vulnerability in Google’s Chrome browser.

 

As for the distribution, the Trojan-Banker.AndroidOS.Svpeng.ae gets spread via malicious websites as a fake flash player. The malware’s malicious techniques can even work on fully-updated Android devices, including those with all security updates installed. By accessing only one system feature this Trojan can reportedly gain all necessary additional rights and steal data.

Kaspersky Lab experts have uncovered a new variant of the Svpeng mobile banking Trojan that features keylogging functionality, a technique more commonly associated with targeted threat actors. The modified Trojan steals entered text such as banking credentials by abusing Android’s accessibility services. This approach also allows the Trojan to grant itself other permissions and rights and to counteract attempts to uninstall it. The researchers warn that simply keeping device software up to date does not protect against this Trojan.

In July 2017, Kaspersky Lab researchers discovered that Svpeng had evolved to abuse this system feature to steal entered text from other apps on the device and grant itself a number of additional rights.

The Trojan is distributed through malicious websites as a fake flash player app. Upon activation, it asks for permission to use accessibility services. By abusing this single feature, it can achieve all of the following: access the UIs of other apps and take screenshots every time a key is pressed on the keypad, logging data such as banking credentials. It can give itself device administrator rights and the ability it to draw over other apps. The ability to overlay is needed because some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan draws its phishing window over the app instead. The researchers uncovered a list of phishing URLs targeting the banking apps of leading European retail banks.

Further, it can install itself as the default SMS app, send and receive SMS, make calls, and read contacts, and block any attempts to remove device administrator rights – thereby preventing its uninstallation. The Trojan’s malicious techniques work even on fully updated devices, which have the latest version of Android OS and all security updates installed.
The Trojan is not yet widely deployed, and overall attack numbers are low. Most of the attacks detected to date are in Russia (29 per cent), Germany (27 per cent), Turkey (15 per cent), Poland (6 per cent) and France (3 per cent). Kaspersky Lab advises users to install a reliable security solution.

Kaspersky Lab advises users to install a reliable security solution, such as Kaspersky

Internet Security for Android on their device, to always check that apps have been created by a reputable developer and not to download anything that looks at all suspicious or whose source cannot be verified. Last but not least, to take care when granting apps additional privileges.