The infamous banking Trojan Svpeng has had another upgrade, this time allowing it to abuse accessibility services in order to steal entered text, according to Kaspersky Lab.
The update, which makes Svpeng an even more effective harvester of victims’ sensitive banking information, was discovered by the Russian AV vendor in mid-July.
The Trojan-Banker.AndroidOS.Svpeng.ae is distributed via fake Flash Player updates on malicious sites and can work on even those Android devices with all security updates installed, wrote Kaspersky Lab senior malware analyst, Roman Unuchek.
On start-up, the malware will request permission to use accessibility services.
“In abusing this privilege, it can do many harmful things. It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts,” explained Unuchek.
“Furthermore, using its newly-gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation. It is interesting that in doing so it also blocks any attempt to add or remove device administrator rights for any other app too.”
Most importantly, this means Svpeng can gain access to the UI of other apps on the victim’s phone and steal data from them, including entered text.
It will also take and transmit a screenshot every time the user presses the keyboard. For those applications that block screenshots it will draw its phishing window over the targeted app.
Although not yet widely deployed, the malware has already targeted users in 23 countries, the largest number being concentrated in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%).
However, the Trojan actually won’t work on devices running the Russian language; which is a common tactic used by cybercriminals who don’t want to get caught by local law enforcement, according to Unuchek.
The UK tops the list in terms of the number of indigenous banking apps targeted by Svpeng (14), followed by Germany (10), Turkey (9) and Australia (9).
Svpeng has a long history of innovation behind it over its four-year lifespan, being the first malware to target SMS banking, to use phishing pages to steal credentials from other apps, and to feature ransomware capabilities.