The mobile trojan Svpeng is growing up. From humble roots last year as a standard trojan-class malicious program that stole money from SMS banking accounts, it went on to emerge as a fully mature, sophisticated banking bug that comes complete with ransomware capabilities. Now, its keepers have split off the ramsomware function as a separate piece of malware.
Kaspersky Lab noted that Svpeng’s evolution began last year, when it noticed that cybercriminals had perfected the trojan’s functionality and it had begun attacking specifically customers of three of Russia’s biggest banks.
“Svpeng would wait until the user opened an online banking app and then replace it with its own in an attempt to obtain the victim’s login and password,” explained Roman Unuchek, Kaspersky Lab expert, in an analysis. “The Trojan also attempted to steal bank card details by displaying its own window on top of the Google Play app and requesting the information the criminals wanted.”
At the beginning of the year, a new modification of Svpeng emerged with ransomware capabilities. When instructed by its server, the malware attempted to block the user’s phone and display a message demanding payment of a $500 “fee” for alleged criminal activity.
Now, it appears that the cybercriminals behind the malware have decided to enhance the ransomware piece and release it as a separate trojan.
“While the main version targeted Russia, 91% of those infected by the new version were in the US,” said Unuchek. “The malware also attacked users in the UK, Switzerland, Germany, India and Russia.”
To work its nefarious duties, Svpeng imitates a bogus “scan” of a victim’s phone, and, of course, finds some “prohibited content.” It then blocks the phone and demands a payment of $200 to unblock it. It also displays a photo of the user taken by the phone’s front camera.
“When it comes to ransomware Trojans, the new modification of Svpeng stands out for its wholly new implementation of standard features – it completely blocks the mobile device, even making it impossible to invoke the menu to switch off or reload the device,” explained Unuchek. “The victim can turn off the device by pressing the on/off button for a few seconds, but the Trojan immediately starts working as soon as the device is switched on again.”
It’s unlikely that this is the end of the story for Svpeng’s evolution, however. Kaspersky has identified seven modifications of the new Svpeng.
“All of them include a Cryptor class reference, but none of them makes any attempt to use it,” Unuchek said. “It could mean that in the future the cybercriminals will use the Trojan to encrypt user data and demand a ransom to decrypt it.”