Mobile Trojan Svpeng turns Keylogger and Steals through Services for Disabled Users

Kaspersky Lab experts have uncovered a new variant of the Svpeng mobile banking Trojan that features keylogging functionality, a technique more commonly associated with targeted threat actors. The modified Trojan steals entered text such as banking credentials by abusing Android’s accessibility services. This approach also allows the Trojan to grant itself other permissions and rights and to counteract attempts to uninstall it. The researchers warn that simply keeping device software up to date does not protect against this Trojan.

In July 2017, Kaspersky Lab researchers discovered that Svpeng had evolved to abuse this system feature to steal entered text from other apps on the device and grant itself a number of additional rights.
The Trojan is distributed through malicious websites as a fake flash player app. Upon activation, it asks for permission to use accessibility services. By abusing this single feature, it can achieve all of the following: access the UIs of other apps and take screenshots every time a key is pressed on the keypad, logging data such as banking credentials. It can give itself device administrator rights and the ability it to draw over other apps. The ability to overlay is needed because some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan draws its phishing window over the app instead. The researchers uncovered a list of phishing URLs targeting the banking apps of leading European retail banks.

Further, it can install itself as the default SMS app, send and receive SMS, make calls, and read contacts, and block any attempts to remove device administrator rights – thereby preventing its uninstallation. The Trojan’s malicious techniques work even on fully updated devices, which have the latest version of Android OS and all security updates installed.
The Trojan is not yet widely deployed, and overall attack numbers are low. Most of the attacks detected to date are in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%). Kaspersky Lab advises users to install a reliable security solution.