11 Must-See Briefings at Black Hat USA 2014 - http://t.co/yOodhMTvXj / @blackhatevents #BHUSA http://t.co/sL6stnby6O
RT @borretm: Cloud Security – Innovation on the Horizon: http://t.co/O1bEDYogxs via @ibmsecurity
European Central Bank victim of latest hacking attack compromising some 20,000+ email addresses: http://t.co/7vW4NYQiem / #DataBreach
RT @cybersecboardrm: CISOs Must Exhibit Dexterity When Addressing a Cyber Security Risk http://t.co/YWb07sByWt
Cyber Security Threats Gain Boardroom Attention - http://t.co/sk7VHozY52 #CISO #infosec
Mobile Banking and Finance

SVPENG: Mobile Malware Expanding to New Territories


Over the last week, the media has been reporting on a new mobile malware called SVPENG. Though widely regarded as a new threat, this malware had already been under investigation by Trusteer’s security team in 2013, when it was discovered in its testing phases. It was presented and discussed February this year during IBM’s Pulse conference.

Overview of SVPENG: The First of Its Kind

SVPENG is a piece of mobile malware that may well be the first PC-grade malware for mobile devices. While the security industry has identified multiple types of threats to mobile devices, they were mostly made up of SMS-forwarding malware (targeting one-time password SMSs) or rogue applications. SVPENG is unique in the sense that it utilizes a known PC malware technique to trick users into providing the malware with credentials. It disguises itself as an Adobe Flash Player update, although this may change. Once it infects the device and receives administrative privileges, it runs three processes, one of which is responsible for launching the overlay attack.

The overlay attack springs into action as soon as the victim clicks on his or her banking app. Following a click on the app, SVPENG generates a screen that is visually similar to the app the user launched, which is presented on top of the actual app. This fools the victim into thinking that he or she is interacting with the legitimate app, but are actually feeding credentials to the malware. While this is not a typical HTML injection attack as we know them from the PC world, these types of overlay attacks have been around for years, mostly dominating the threat landscape in Brazil.

In addition to the overlay attack, SVPENG is also capable of launching a ransomware attack on the infected device. Just as PC ransomware attacks scare and force the victim into paying the attacker money to regain control or access to the infected device, so too, does SVPENG on mobile devices. Users receive a message, which claims to have been sent by the FBI, explaining that the infected device has been used to access child pornography sites and has been locked until a $500 dollar fine is paid via MoneyPak; the authors of SVPENG simply adopted a technique that has been successful on PCs to the mobile world.

Stopping the Spread of SVPENG

Julia Karpin and Lior Keshet of Trusteer’s security team have been researching SVPENG since its early days when it was still being tested by its creators. This early detection allowed Trusteer, now an IBM company, to develop countermeasures that were immediately implemented into the product line, thus allowing immediate detection of the threat. Trusteer Mobile SDK and Trusteer Mobile App Secure Browser are both capable of identifying this threat, allowing financial institutions to raise the risk associated with the infected device and the account.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

Topics: , , , , , , , , , ,

Related News

1 comments
JEBworks
JEBworks

Just had this pop-up in my Chrome browser on Mac OS 10.9.3 making it unable to close it. Only was able to force shut down. So it looks like it's not only a mobile app threat.