Cybercriminals have updated the functionality of the popular Svpeng mobile banking trojan giving it keylogger capabilities and the ability to access the text input from almost all of a devices apps.
Kaspersky Labs discovered this new feature in mid-July noting it steals the entered text using the accessibility service feature. This is normally an interface used by people with disabilities or who cannot for some reason fully interact with their device. One reason the malicious actor targeted this element is it can give additional permissions.
“Abusing this system feature allows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more permissions and rights, and to counteract attempts to uninstall the Trojan,” Kaspersky wrote.
So far the number of attacks recorded has been quite low, but widespread with the improved trojan hitting victims in 23 countries, primarily Russia, Germany and Turkey. Kaspersky pointed out that even though it has been found in Russia, the malware will not run on devices that use the Russian language. This could be a clue indicating the trojan was developed in that country.
The trojan is distributed through malicious websites usually using a fake Flash Player and insidiously the malware will infect even a fully updated device running the latest Android version.
Once on board Trojan-Banker.AndroidOS.Svpeng.ae checks to make sure the device language is not set to Russian and then asks to access its accessibility service. Once this is received the trojan is able to grant itself administrative rights, installs itself as the default texting app and superimposes itself over all the other apps on the phone. It also enables itself to block others from obtaining administrative rights in order to block being uninstalled.
“Using accessibility services allows the Trojan to get access to the UI of other apps and to steal data from them, such as the names of the interface elements and their content, if it is available. This includes entered text. Furthermore, it takes screenshots every time the user presses a button on the keyboard, and uploads them to the malicious server. It supports not only the standard Android keyboard but also a few third-party keyboards,” Kaspersky said.