Kaspersky Lab Detects Mobile Trojan Svpeng: Financial Malware with Ransomware Capabilities now Targeting U.S. Users

News provided by

Kaspersky Lab

16 Jun, 2014, 12:45 GMT

LONDON, June 16, 2014 /PRNewswire/ --

Although the GameOver Zeus botnet and CryptoLocker ransomware have been disrupted, it is still too early for a victory celebration. First, the two week deadline expires on June 17th, leaving just one week left before cybercriminals could regain control of their botnet. Second, stories of the GameOver Zeus and CryptoLocker campaign have already spawned a number of copycats among mobile malware writers.

Last Sunday, June 8th, Kaspersky Lab detected a mobile Trojan now operating in the USA and UK, called Svpeng, which combines the functionality of financial malware with ransomware capabilities. This is the first time that Svpeng, a famous money stealing mobile Trojan in Russia, has turned its attention to other markets.

For now, this piece of malware, allegedly of Russian origin, does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known Trojan that operates in Russia and is used mainly for stealing money. Additionally the Trojan's code contains some mentions of the Cryptor method which has not yet been used, so it is likely that it will soon be utilised for file encryption. In this case Svpeng will become the second most well-known mobile malware with such functionality after Pletor, which appeared in the wild in May 2014.

The Trojan checks a user's phone for a list of certain financial applications - more likely for future use, where it starts stealing login/password of online banking as it does now among Russian banks accounts. English-language Svpeng currently checks the presence of the following applications on a victim's device:

  • USAA Mobile;
  • Citi Mobile;
  • Amex Mobile;
  • Wells Fargo Mobile;
  • Bank of America Mobile Banking;
  • TD App;
  • Chase Mobile;
  • BB&T Mobile Banking;
  • Regions Mobile.

It then locks the screen of the mobile device with the imitation of an FBI penalty notification letter and demands $200 in the form of Green Dot's MoneyPak cards.  

Today we see that more than 91% of attacks using this Trojan target English-language users based in U.S. and UK. The other 9% targets India, Germany and Switzerland. It could soon reach other English-speaking countries and even other languages.

"It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution - the malware will block the device completely, not separate files as Cryptolocker did. If it happens to you, you can do almost nothing. The only hope for unlocking the device is if it was already rooted before it was infected; then it could be unlocked without deleting the data. One more option to remove the Trojan if your phone wasn't rooted is to boot into 'Safe Mode' and erase all data on the phone only, while SIM and SD cards will stay untouched and uninfected," says Roman Unuchek, Senior Malware Analyst at Kaspersky Lab.

Kaspersky Lab products detect Svpeng as Trojan-Banker.AndroidOS.Svpeng.a.

Kaspersky Lab security solutions for home and corporate users contain a range of technologies to prevent different types of malware attacks including those designed to steal confidential and financial data, or encrypt important files in order to ransom money.

More information can be found on securelist.  

About Kaspersky Lab 

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.com.

  • The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares" (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012. 

Contact:
Kasperskylab@berkeleypr.co.uk
+44(0)118-9090909