A New Era in Mobile Banking Trojan Gets ‘Keylogger’ to Steal Everything

Security researchers have discovered that one of the most dangerous Android banking Trojan families has now been modified to add a keylogger to its recent strain, giving attackers yet another way to steal victims sensitive data.

Kaspersky Lab’s Senior malware analyst Roman Unuchek spotted a new variant of the well-known Android banking Trojan, dubbed Svpeng, in the mid of last month with a new keylogger feature, which takes advantage of Android’s Accessibility Services.

Trojan Exploits ‘Accessibility Services’ to Add Keylogger

The keylogger added in the new version of Svpeng takes advantage of Accessibility Services — an Android feature that provides users alternative ways to interact with their smartphone devices.

This change makes the Svpeng Trojan able not only to steal entered text from other apps installed on the device and log all keystrokes, but also to grant itself more permissions and rights to prevent victims from uninstalling the Trojan.

 Over a month ago, researchers also discovered another attack taking advantage of Android’s Accessibility Services, called Cloak and Dagger attack, which allows hackers to silently take full control of the infected devices and steal private data.
If You Are Russian, You Are Safe!

Although the new variant of the Svpeng malware is not yet widely deployed, the malware has already hit users in 23 countries over the course of a week, which include Russia, Germany, Turkey, Poland, and France.

But what’s worth noticing is that, even though most infected users are from Russia, the new variant of Svpeng Trojan doesn’t perform malicious actions on those devices.

According to Unuchek, after infecting the device, the Trojan first checks the device’s language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.

The attack process

Unuchek says the latest version of Svpeng he spotted in July was being distributed through malicious websites that disguised as a fake Flash Player.

Svpeng was able to become a device administrator without any interaction with the user just by using accessibility services.
Once installed, the malware first checks for the device language and, if the language is not Russian, asks the device to use Accessibility Services, which opens the infected device to a number of dangerous attacks.

With having access to Accessibility Services, the Trojan grants itself device administrator rights, displays an overlay on the top of legitimate apps, installs itself as a default SMS app, and grants itself some dynamic permissions, such as the ability to make calls, send and receive SMS, and read contacts.

Additionally, using its newly-gained administrative capabilities, the Trojan can block every attempt of victims to remove device administrator rights—thereby preventing the uninstallation of the malware.

Using accessibility services, Svpeng gains access to the inner working of other apps on the device, allowing the Trojan to steal text entered on other apps and take screenshots every time the victim presses a button on the keyboard, and other available data.

“Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app,” Unuchek says.

“It is interesting that, in order to find out which app is on top, it uses accessibility services too.”


All the stolen information is then uploaded to the attackers’ command and control (C&C) server. As part of his research, Unuchek said he managed to intercept an encrypted configuration file from the malware’s C&C server.

Decrypting the file helped him find out some of the websites and apps that Svpeng targets, as well as help him obtain a URL with phishing pages for both the PayPal and eBay mobile apps, along with links for banking apps from the United Kingdom, Germany, Turkey, Australia, France, Poland, and Singapore.

Besides URLs, the file also allows the malware to receive various commands from the C&C server, which includes

  • Sending SMS,
  • Collecting information such as contacts.
  • Installed apps and call logs.
  • Opening the malicious link.
  • Gathering all SMS from the device.
  • and stealing incoming SMS.


Securityleaks Advice

The Svpeng is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data. so it is little advice’s to users can do in order to protect themselves.

  • Always stick to trusted sources, like Google Play Store and the Apple App Store, but only from trusted and verified developers.
  • Most importantly, verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
  • Do not download apps from third party sources, as most often such malware spreads via untrusted third-parties.
  • Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
  • Never click on links provided in an SMS, MMS or email. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
  • Install a good antivirus app that can detect and block such malware before it can infect your device, and always keep the app up-to-date.


 Credit: Thehackernews , Securelist

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *