Over the last week, the media has been reporting on a new mobile malware called SVPENG. Though widely regarded as a new threat, this malware had already been under investigation by Trusteer’s security team in 2013, when it was discovered in its testing phases. It was presented and discussed February this year during IBM’s Pulse conference.
Overview of SVPENG: The First of Its Kind
SVPENG is a piece of mobile malware that may well be the first PC-grade malware for mobile devices. While the security industry has identified multiple types of threats to mobile devices, they were mostly made up of SMS-forwarding malware (targeting one-time password SMSs) or rogue applications. SVPENG is unique in the sense that it utilizes a known PC malware technique to trick users into providing the malware with credentials. It disguises itself as an Adobe Flash Player update, although this may change. Once it infects the device and receives administrative privileges, it runs three processes, one of which is responsible for launching the overlay attack.
The overlay attack springs into action as soon as the victim clicks on his or her banking app. Following a click on the app, SVPENG generates a screen that is visually similar to the app the user launched, which is presented on top of the actual app. This fools the victim into thinking that he or she is interacting with the legitimate app, but are actually feeding credentials to the malware. While this is not a typical HTML injection attack as we know them from the PC world, these types of overlay attacks have been around for years, mostly dominating the threat landscape in Brazil.
In addition to the overlay attack, SVPENG is also capable of launching a ransomware attack on the infected device. Just as PC ransomware attacks scare and force the victim into paying the attacker money to regain control or access to the infected device, so too, does SVPENG on mobile devices. Users receive a message, which claims to have been sent by the FBI, explaining that the infected device has been used to access child pornography sites and has been locked until a $500 dollar fine is paid via MoneyPak; the authors of SVPENG simply adopted a technique that has been successful on PCs to the mobile world.
Stopping the Spread of SVPENG
Julia Karpin and Lior Keshet of Trusteer’s security team have been researching SVPENG since its early days when it was still being tested by its creators. This early detection allowed Trusteer, now an IBM company, to develop countermeasures that were immediately implemented into the product line, thus allowing immediate detection of the threat. Trusteer Mobile SDK and Trusteer Mobile App Secure Browser are both capable of identifying this threat, allowing financial institutions to raise the risk associated with the infected device and the account.