Security researchers from Kaspersky Labs have revealed a new variant of a known mobile banking Trojan virus that has gained the ability to use ransomware-style attacks as well as the ability to gather data on U.S. mobile banking habits. The new version of the Trojan virus had been specifically targeting Russian mobile banking customers, but has since begun infecting U.S. targets and extorting payments due to fraudulent climes of FBI fines.
The virus known as Svpeng
Kaspersky Labs security researchers first discovered the mobile Trojan virus named Svpeng a little more than a year ago. The virus was initially classified as a "standard Trojan-SMS class malicious program that stole money from SMS banking accounts." As time went by, newer variants of the Svpeng Trojan began to be recognized. The virus began to target specific Russian banking institution's customers as well as attempting to steal credit card details through the manipulation of the Android-based Google Play store.
Earlier this year, a more recent variant showed signs of modifications, which would block use of the user's device while demanding payment for a fictitious crime. This functionality disappeared from the ecosystem relatively quickly.
The most recent variant of Svpeng is a spin-off of the last version that has so far targeted mainly U.S. devices. According to Roman Unucheck, author of the virus report and Kaspersky Lab Expert, 91% of the new variants infections are in the U.S., but with the remaining infections coving the UK, Switzerland, Germany, India, and Russia.
The new Svpeng variant is insidious in that it wrest control of the infected device almost entirely from the user.
"When it comes to ransomware Trojans, the new modification of Svpeng stands out for its wholly new implementation of standard features - it completely blocks the mobile device," said Unucheck, "even making it impossible to invoke the menu to switch off or reload the device. The victim can turn off the device by pressing the on/off button for a few seconds, but the Trojan immediately starts working as soon as the device is switched on again."
To make matters worse, the new Svpeng variant also includes a Java Cryptor class reference, which could mean that future versions of the virus will also forcibly encrypt infected devices.
Fortunately for those infected by Svpeng already, the virus is not actively attacking U.S. mobile banking accounts. So far the virus is just gathering data to upload to its command and control server. According to Unucheck, "The cybercriminals are probably just gathering statistics about the use of these apps on infected devices. Considering that Svpeng is, first and foremost, a banking Trojan, we can expect to see attacks on the clients of these banks who use mobile apps to manage their accounts."