This Android banking malware steals data by exploiting smartphone accessibility services

The notorious Svpeng malware takes advantage of an Android function designed to help people with disabilities use their phone.
Written by Danny Palmer, Senior Writer

Svpeng now uses a keylogger to put mobile banking app details into the hands of hackers.

Image: iStock

Svpeng is one of the most notorious banking Trojans because it receives regular upgrades in order to stay fresh and keep infecting victims.

It has just been upgraded again with new keylogger functionality in a bid to steal any text entered on the phone, including usernames and passwords -- and it does so by exploiting accessibility services, the Android function designed to help people with disabilities use their phone.

By abusing this feature, not only can Svpeng steal text entered into the phone's apps, as well as open URLs and read text messages, it also has the ability to prevent itself from being uninstalled by granting itself additional permissions and rights.

The malware is distributed through malicious websites as a fake Flash player and the researchers at Kaspersky Lab who uncovered the latest version warn that it compromises even fully up-to-date versions of Android.

Once started on the device -- and after checking that the phone isn't configured to Russian -- Svpeng asks for permission to use accessibility services, thus granting itself administrator rights and installing itself as the default app for SMS messaging.

Svpeng also grants itself the ability to send and receive texts, make calls and read contacts, as well as blocking any attempts to remove administrator rights, and preventing any other app adding or removing further rights.

By exploiting accessibility services, the Trojan can access the UI of any other apps installed on the phone and steal data from them, including text. The malware also takes screenshots every time the user pushes the button on the keyboard and uploads them to the criminal command and control server.

Most banking apps don't allow the user to take screenshots when they're being used, but Svpeng gets around this by using accessibility services to identify which banking app is being used and present a fake phishing link. Svpeng can show fake login pages for dozens of banks, including 14 in the UK, 10 in Germany, nine in Turkey and Australia, and eight in France.


A phishing screen which Svpeng uses to steal financial data.

Image: Kaspersky Lab

If the user enters their details into one of these overlays, their banking credentials will fall into the hands of hackers, putting victims at risk of financial losses, fraud, and identity theft.

Researchers note that there have only been a small number of Svpeng attacks, but those attacks have been carried out across 23 countries. The highest number of attacked users was in Russia, even though the device doesn't attack devices set to Russian.

While there's no definitive evidence as to which cybercriminal group is distributing Svpeng or where they're from, Kaspersky Lab points out how this is a standard tactic for Russian cybercriminals looking to avoid detection and arrest -- the Russian authorities tend to turn a blind eye to hacking and cybercrime, so long as it isn't targeting Russia.

What is known is that the group behind Svpeng is professional and constantly updates its malware to hit new targets and avoid detection.

"The Svpeng malware family is well-known for its innovation, making it one of the most dangerous families around. It was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money," said Roman Unuchek, senior malware analyst at Kaspersky Lab.

One of the best ways Android users can avoid becoming a victim of Svpeng is by not downloading apps from unknown sources and being wary of apps which demand absolute privileges over the device.


Editorial standards