A new modification of the Svpeng Android malware has just been reported by security experts. It is able to steal sensitive information from the infected devices and includes a lot of advanced features.
The Svpeng Android Malware Aims High
The Svpeng Android malware is a well-known banking Trojan made for Google’s mobile operating system. It has evolved through several versions and has now seen a new major iteration that has been featured prominent in a large attack campaign. The Svpeng Trojan primarily infects devices through hacker-controlled advertising messages available on the Google AdSense network. The malicious instances are created by the criminals and distributed to many generated sites that are linked on the Web. A thorough security examination reveals that the Svpeng Android malware pages are found on all sorts of sites not just a single category (such as news portals).
When the victim comes into contact with the hacker sites a malicious script is executed that downloads the executable to the device’s storage. This is highly unusual as ordinary downloads need to be confirmed by the user. The Svpeng Android malware is able to bypass the browser download mechanisms and infiltrate the devices immediately after the infection is triggered.
Svpeng Android Malware Analysis
The security experts reveal that a special JavaScript code bundled into the sites is the reason why the usual browser download behavior is bypassed. The programmers have specified that by default the malware should be saved to the removable storage (if available). To conceal the malicious behavior the code displays an add message. It is used to deliver Svpeng in an encrypted way. The ad itself contains a special command that decrypts the binary and runs the file on the affected device.
The analysts presume that the criminal collective behind the new version originate from Russia or a Russian-speaking country as the targets are selected to confront to their own country and region. Google has been notified by the researchers as the exploit code has been confirmed to work with the Chrome web browser. The security team (as of writing this article) have already published a fix that will be available in the next software update. Notable sites that were found to distribute the Svpeng Trojan include Russia Today and the Meduza network of news portals.
One of the main functions of Svpeng is its banking Trojan module. It attempts to steal the sensitive account credentials that are entered on mobile banking systems and apps. This is done by either keylogging the input username and password combinations or placing counterfeit overlays that resemble the real sites. The malware has been found to intercept the requests made by legitimate online services such as Sberbank and Privat24, extensively used in Russia and Russian-speaking countries.
SvPeng Android Trojan is also distributed as a counterfeit app. The security experts compiled of known instances:
last-browser-update.apk, WhatsApp.apk, Google_Play.apk, 2GIS.apk, Viber.apk, DrugVokrug.apk,
Instagram,apk, VKontakte.apk, minecraftPE.apk, Skype,apk, Android_3D_Accelerate.apk,
SpeedBoosterAndr6.0.apk, new-android-browser.apk, AndroidHDSpeedUp.apk, Android_update_6.apk,
WEB-HD-VIDEO-Player.apk, Asphalt_7_heat.apk, CHEAT.apk, Root_Uninstaller.apk, Mobogenie,apk,
Chrome-update.apk, Trial_Xtreme.apk, Cut_the_Rope_2.apk, Установка.apk, Temple_Run.apk
Svpeng Android Malware Attack Campaign
The Svpeng Android malware is being distributed using attack campaigns that are carefully planned in advance. One of the notable ones happened last year (July 2016). The collected statistics data and the malware samples show that the hacker operators prefer to launch massive campaigns over a short period of time before updating the malware strain and configuring it for another target group.
Svpeng Android malware is extremely efficient at infecting devices. For about two months the virus was able to infiltrate 318 000 users, this amounts to about 37 000 infections per day. We anticipate that future versions of Svpeng are going to use alternative approaches that will boost the infection ratio. As Google has already been notified of the ads they have been blocked by the search engine and its services.
The Trojan is able to launch the following attacks on the compromised devices:
- Surveillance – The criminals can spy on the users and their activities in real time. This includes everything from acquiring screenshots of their actions to recording keystrokes and application interaction.
- Trojan Module – The hacker operators can establish remote connections to the infected devices and control them at will. The criminals can obtain control at any given time using both the system and administrative account.
- Data Collection – The Svpeng Trojan is able to harvest detailed information about the system and all installed software. The malware can query the list of installed applications, the available hardware and resources and collect the information for statistics use by the hackers. Everything is then relayed to the hackers for further use.
- File Transfer – The virus can be used to download files of interests by the hackers. They have access to the whole file system, including system files and removable storage devices such as microSD expansion cards. The criminals can also files to the devices, a possibility to infect the victims with additional malware.
- DOS Attack Capabilities – The malware can be used to initiate Denial-of-service (DOS) attacks against hacker-provided victims. A network of Svpeng-infected devices can be used as a botnet to take down a certain predefined target. Effective use of this feature can turn the Svpeng into a very dangerous weapon in the hands of its controllers. It can also be rented out to other hackers in return of a hefty fee.
The SvPeng virus code initiates several removal-resistant that prohibit manual removal options by preventing the user from closing the window, opening the settings window or deceiving the victims. Basic social engineering tactics are employed – a password prompt is displayed that repeatedly states that the password is incorrect, even though it is.
Further Svpeng Android Malware Attacks Anticipated
The Svpeng Android malware can cause significant damage to the affected devices. This is the reason why upcoming attacks are anticipated by the security community. There are several possible case scenarios that can be used to spread future versions of the Trojan:
- Follow-up Attacks – The hackers can coordinate future campaigns that are based on the current concept. Slight modifications to the code, the addition of new domains and renamed executables can all form the base for a new attack campaign.
- New Distribution Strategies – The hackers can opt to use the same malicious executables with a new spread strategy. This includes virtually all possibilities that are not yet covered by the existing tactics. Examples include malware delivery via another virus attack, direct hacker intrusions and etc.
- A New Campaign – This options considers the creation of a new Svpeng Android malware version complete with a revamped distribution strategy. Depending on the severity of the made modifications the security analysts may not be able to detect the attacks immediately if they are concealed properly. Only a detailed code analysis can reveal that the code is descendant from the malware family.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: