Over the last week, the media has been reporting on a new mobile malware called SVPENG. Though widely regarded as a new threat, this malware had already been under investigation by Trusteer’s security team in 2013, when it was discovered in its testing phases. It was presented and discussed February this year during IBM’s Pulse conference.

Overview of SVPENG: The First of Its Kind

SVPENG is a piece of mobile malware that may well be the first PC-grade malware for mobile devices. While the security industry has identified multiple types of threats to mobile devices, they were mostly made up of SMS-forwarding malware (targeting one-time password SMSs) or rogue applications. SVPENG is unique in the sense that it utilizes a known PC malware technique to trick users into providing the malware with credentials. It disguises itself as an Adobe Flash Player update, although this may change. Once it infects the device and receives administrative privileges, it runs three processes, one of which is responsible for launching the overlay attack.

The overlay attack springs into action as soon as the victim clicks on his or her banking app. Following a click on the app, SVPENG generates a screen that is visually similar to the app the user launched, which is presented on top of the actual app. This fools the victim into thinking that he or she is interacting with the legitimate app, but are actually feeding credentials to the malware. While this is not a typical HTML injection attack as we know them from the PC world, these types of overlay attacks have been around for years, mostly dominating the threat landscape in Brazil.

In addition to the overlay attack, SVPENG is also capable of launching a ransomware attack on the infected device. Just as PC ransomware attacks scare and force the victim into paying the attacker money to regain control or access to the infected device, so too, does SVPENG on mobile devices. Users receive a message, which claims to have been sent by the FBI, explaining that the infected device has been used to access child pornography sites and has been locked until a $500 dollar fine is paid via MoneyPak; the authors of SVPENG simply adopted a technique that has been successful on PCs to the mobile world.

Stopping the Spread of SVPENG

Julia Karpin and Lior Keshet of Trusteer’s security team have been researching SVPENG since its early days when it was still being tested by its creators. This early detection allowed Trusteer, now an IBM company, to develop countermeasures that were immediately implemented into the product line, thus allowing immediate detection of the threat. Trusteer Mobile SDK and Trusteer Mobile App Secure Browser are both capable of identifying this threat, allowing financial institutions to raise the risk associated with the infected device and the account.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today