Svpeng attacks Russia: cybercriminals learnt how to steal with functions for disabled people on smartphones

Experts call the virus dangerous because it can pass the newest protection mechanisms on Android devices by

Cybersecurity experts told about the new Android virus. So-called Svpeng gets access to bank card data and can easily withdraw money from it with the help of functions designed for disabled people. However, the Trojan has an Achilles heel – it doesn't affect the Russian-speaking interface, which researchers link with the cybercriminals' Russian nationality. Realnoe Vremya's reporter examined the specifics of the new threat.

Theft with functions for disabled people

Android owners can face a new modification of Svpeng mobile Trojan to steal data from bank cards. Kaspersky Lab experts who detected it in the middle of July this year warned about its existence. The virus spreads via harmful sites under the guise of fake Flash Player. When it is active, it uses accessibility services – the functions for disabled people – gets access to the interface of other applications and possibility to make screenshots when a symbol is typed on the screen keyboard, the company's press release says.

With the help of functions for disabled people, Svpeng chooses itself as a default application for SMS, gives itself the right to make calls, get access to contacts and blocks attempts to turn off its administrative privileges. However, experts call the possibility to overlay windows of other programmes the most dangerous privileges. Due to it, one can pass some applications by, particularly that of banks, make screenshots when they are shown on the screen. The virus shows its own fishing window above it where the client introduces data and sends them to the cybercriminals. The specialists note they detected the full list of fishing addresses that the Trojan uses to attack applications of several leading banks of Europe.

Kaspersky Lab experts who detected it in the middle of July this year warned about its existence. Photo: osp.ru

Cybercriminals are able to perform these operations even on completely updated devices with the latest Android version. Curiously, the virus doesn't work on devices with the Russian-speaking interface. Researchers explain that Russian cybercriminals often use such tactics to avoid problems with the law. So we presuppose that Russian programmes created the Trojan.

Cyberattacks have reached a new level

Roman Unuchek, senior anti-virus expert at Kaspersky Lab, says that the use of the functions for disabled people allows to pass many protection mechanisms by in the latest Android versions and steal much more data than before.

''The Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money. In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability in the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families, and it is why we monitor the functionality of new versions,'' the specialist's words are given in the company's press release.

On its blog on 1 August, Roman Unuchek wrote they detected a small number of attacks during a week, but the geography of their distribution covered 23 countries. The majority of attacks was in Russia (29%). Another 27% of attacks were detected in Germany, 15% — in Turkey, 6% — in Poland and 3% — in France.

Nikolay Anisenya thinks the new modification of the virus is quite dangerous just because it doesn't use the system's vulnerability, just has increased privileges. Photo: themsphub.com

Perfect spy and threat to mobile banking

Expert of Mobile Device Security Research Department at Positive Technologies Nikolay Anisenya thinks the new modification of the virus is quite dangerous just because it doesn't use the system's vulnerability, just has increased privileges that the user gives himself. And it means the virus passes the newest protection mechanisms by on Android devices.

''Meanwhile, the Trojan has access to the data shown on the screen, SMS, calls, a text typed on the screen. This function makes the virus a perfect spy and threat to mobile banking. Not every bank application is able to resist such threats from legal applications. Many mobile banking applications allow users to make screenshots, don't check the presence of overlays and use SMS to confirm transactions,'' the expert comments.

Deputy Director of Group-IB's Digital Forensics Laboratory Sergey Nikitin also says that the virus' own possibilities have considerably grown together with the use of functions for disabled people – for instance, in data capture from the keyboard in other applications, thanks to which it became possible to get logins and passwords, chats from other applications. In the expert's opinion, the speed of the virus' spread depends on the swindlers' activity – ads, SMS, messaging in social networks.

''Let's note that in all the cases the user installs the virus on his smartphone himself and gives the virus corresponding rights. So the virus' distribution speed, unfortunately, depends on very victims, how actively they install it,'' Sergey Nikitin says.

Sergey Nikitin also says that the virus' own possibilities have considerably grown together with the use of functions for disabled people. Photo: rspectr.com

According to Nikolay Anisenya, the number of Trojans using the similar technology constantly grows, which can't help but concern. He calls Bankbot Malware that was disguised as Funny Videos 2017 application and also aimed at banks among the viruses with a similar algorithm.

''The Trojan attacked users of more than 400 banks around the world using overlays in applications and capturing SMS. It steals not only bank account passwords but login details of applications of popular social networks and messengers,'' tells the expert of Mobile Device Security Research Department at Positive Technologies

SpyDealer Trojan is another example of using accessibility services by a virus. It uses Android 2.2-4.4 devices but also can steal information by using the availability of Android in the latest OS versions. Nikolay Anisenya says the virus is not caught via Google Play. This is why the users who install applications from unreliable sources are in danger.

By Maria Goroshaninova

Подписывайтесь на телеграм-канал, группу «ВКонтакте» и страницу в «Одноклассниках» «Реального времени». Ежедневные видео на Rutube, «Дзене» и Youtube.