Skip to content ↓ | Skip to navigation ↓

Security researchers have uncovered a new variant of the infamous Android mobile banking Trojan Svpeng, which now comes equipped with a keylogger feature.

According to Kaspersky Lab, the latest update allows cybercriminals to steal entered text by exploiting a device’s accessibility services.

Designed for users with disabilities or those temporarily unable to interact fully with a device, the functionality is intended to provide user interface (UI) enhancements.

In this case, the Trojan abuses the feature to grant itself administrator rights, as well as installing itself as the default SMS app. Svpeng also grants itself dynamic permissions, including the ability to send and receive texts, make calls and read contacts.

Researchers found it can block any attempt to remove device administrator rights to prevent its uninstallation.

Kaspersky senior malware analyst Roman Unuchek further explains in a blog post:

Using accessibility services allows the Trojan to get access to the UI of other apps and to steal data from them, such as the names of the interface elements and their content, if it is available. This includes entered text. Furthermore, it takes screenshots every time the user presses a button on the keyboard, and uploads them to the malicious server. It supports not only the standard Android keyboard but also a few third-party keyboards.”

Fortunately, researchers believe the Trojan is not yet widely deployed. After discovering the variant in mid-July, Kaspersky observed only a small number of users attacked in the course of a week.

However, the attacks did span across nearly two-dozen countries, most of them occurring in Russia (29 percent), Germany (27 percent), Turkey (15 percent), Poland (6 percent) and France (3 percent).

“It is worth noting that, even though most attacked users are from Russia, this Trojan won’t work on devices running the Russian language. This is a standard tactic for Russian cybercriminals looking to evade detection and arrest,” said Unuchek.

The Svpeng malware family has been around since 2013 and has continuously evolved to become more dangerous and effective.

“… it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money,” added Unuchek.

Android users are advised to avoid downloading mobile apps from unknown sources and to remain vigilant of apps that request excessive privileges.