Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Ransomware “Svpeng” strikes US, leaves Android devices unusable

A mobile trojan called “Svpeng,” has now been updated to extort Android users in the U.S., researchers warn.

Discovered last July by Kaspersky, Svpeng was initially used to steal payment card information from Russian bank customers. As of this month, however, a separate version of the malware has been locking up U.S. victims' devices so  fraudsters can collect a ransom.

On Wednesday, Roman Unuchek, senior malware analyst at Kaspersky Lab, detailed scammers' new exploits in a blog post.

At the start of the year, Svpeng was modified to offer ransomware capabilities, Unuchek explained. The malware blocked Russian users' devices with messages accusing them of accessing child pornography.

But this summer, an newer iteration of the malware began using a similar hoax against U.S. users.

“At the beginning of June we identified a new spin-off version of the trojan,” Unuchek wrote in the blog post. “While the main version targeted Russia, 91% of those infected by the new version were in the US. The malware also attacked users in the UK, Switzerland, Germany, India and Russia.”

The ransomware launches a “scan” on victims' devices, then shows them a phony FBI message saying their device was used to visit porn sites. A $200 MoneyPak payment is then demanded to unlock the phone, Unuchek said.

In a Wednesday email to, Unuchek explained how Svpeng is of particular nuisance to victims, and different from other ransomware, like CryptoLocker.

“It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution – the malware will block the device completely, not separate files as CryptoLocker did,” Unuchek wrote.  “If it happens to you, you can do almost nothing. The only hope for unlocking the device is if it was already rooted before it was infected. Then it could be unlocked without deleting the data. One more option to remove the trojan, if your phone wasn't rooted, is to boot into ‘Safe Mode' and erase all data on the phone only, [since] SIM and SD cards will stay untouched and uninfected."

In addition to its ransomware features, Svpeng also checks for mobile banking apps on victims' phones, including apps for Bank of America, USAA, Wells Fargo and other U.S. institutions. Researchers believe the data will be used to target customers in future campaigns.

In a Thursday follow up email, Unuchek told that Svpeng would likely be updated to steal bank credentials from U.S. users (as it did in Russia).

“For now, this piece of malware does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known trojan that operates in Russia and is used mainly for money stealing,” Unuchek wrote. “Additionally, the trojan's code contains some mentions of the Cryptor method which was not used yet, so it is likely that soon it will be utilized to encrypt user data and demand a ransom to decrypt it."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.