Over the last week, the media has been reporting on a new mobile malware called SVPENG. Though widely regarded as a new threat, this malware had already been under investigation by Trusteer’s security team in 2013, when it was discovered in its testing phases. It was presented and discussed February this year during IBM’s Pulse conference.

Overview of SVPENG: The First of Its Kind

SVPENG is a piece of mobile malware that may well be the first PC-grade malware for mobile devices. While the security industry has identified multiple types of threats to mobile devices, they were mostly made up of SMS-forwarding malware (targeting one-time password SMSs) or rogue applications. SVPENG is unique in the sense that it utilizes a known PC malware technique to trick users into providing the malware with credentials. It disguises itself as an Adobe Flash Player update, although this may change. Once it infects the device and receives administrative privileges, it runs three processes, one of which is responsible for launching the overlay attack.

The overlay attack springs into action as soon as the victim clicks on his or her banking app. Following a click on the app, SVPENG generates a screen that is visually similar to the app the user launched, which is presented on top of the actual app. This fools the victim into thinking that he or she is interacting with the legitimate app, but are actually feeding credentials to the malware. While this is not a typical HTML injection attack as we know them from the PC world, these types of overlay attacks have been around for years, mostly dominating the threat landscape in Brazil.

In addition to the overlay attack, SVPENG is also capable of launching a ransomware attack on the infected device. Just as PC ransomware attacks scare and force the victim into paying the attacker money to regain control or access to the infected device, so too, does SVPENG on mobile devices. Users receive a message, which claims to have been sent by the FBI, explaining that the infected device has been used to access child pornography sites and has been locked until a $500 dollar fine is paid via MoneyPak; the authors of SVPENG simply adopted a technique that has been successful on PCs to the mobile world.

Stopping the Spread of SVPENG

Julia Karpin and Lior Keshet of Trusteer’s security team have been researching SVPENG since its early days when it was still being tested by its creators. This early detection allowed Trusteer, now an IBM company, to develop countermeasures that were immediately implemented into the product line, thus allowing immediate detection of the threat. Trusteer Mobile SDK and Trusteer Mobile App Secure Browser are both capable of identifying this threat, allowing financial institutions to raise the risk associated with the infected device and the account.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today