Even though the infamous GameOver Zeus botnet and the CryptoLocker ransomware have been disrupted, their stories and media coverage has enticed other mobile malware writers to copy their concept and release their own versions. On June 8th, Kaspersky Lab detected a similar mobile Trojan called Svpeng (good luck pronouncing that), currently operating in the UK and USA. This Trojan combines the functionality of financial malware with ransomware capabilities to create the worst of both worlds. This mobile Trojan previously seemed to operate mainly within Russia, and has just recently spread to other countries.
Svpeng currently does not steal credentials, though since it is just a modification of another well known Russian Trojan which is used for stealing money, it means that it is only a matter of time. It's code also contains some mentions of the Cryptor method, which also indicates that this could one day be used for file encryption. It is also worth mentioning that the detection of Svpeng comes weeks after the detection of another similar Trojan called Pletor, which appeared sometime in May.
Such Trojans currently checks for a number of financial applications on the user's mobile device, which it then uses to steal the usernames and passwords of. In Svpeng's case, the English version checks devices for the following applications:
- USAA Mobile
- Citi Mobile
- Amex Mobile
- Wells Fargo Mobile
- Bank of America Mobile Banking
- TD App
- Chase Mobile
- BB&T Mobile Banking
- Regions Mobile
After detecting such applications to goes on to lock the screen of the device with an imitation of an FBI penalty notification letter and will demand $200 in the form of Green Dot's MoneyPak cards. The UK and USA currently accounts for 91% of attacks, whilst the 9% comprises of India, Germany and Switzerland.
Roman Unuchek, Senior Malware Analyst at Kaspersky Lab had the following advice:
"It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution - the malware will block the device completely, not separate files as Cryptolocker did. If it happens to you, you can do almost nothing. The only hope for unlocking the device is if it was already rooted before it was infected; then it could be unlocked without deleting the data. One more option to remove the Trojan if your phone wasn't rooted is to boot into 'Safe Mode' and erase all data on the phone only, while SIM and SD cards will stay untouched and uninfected."