Categories: Malware

Svpeng Android ransomware is impossible to repel after the infection

Experts at Kaspersky Lab are following the evolution of Svpeng Android malware, born as banking trojan and evolved in ransomware which hit US customers.

The mobile malware Svpeng is evolving and recent versions were adapted to classic extortion scheme targeting Android devices in the US.

Svpeng was detected for the first time one year ago by experts at Kaspersky Lab, first instances were designed to steal payment card information from customers of a Russian bank. In the last weeks, a new variant of Svpeng malware was identified, it has been locking up mobile devices of US users and request a ransom.

According to senior malware analysts Roman Unuchek, early this year Svpeng was modified to implement ransomware capabilities.

As described by Unuchek in a blog post, the malicious code hit Russian users’ devices blocking their smart phones and displaying messages accusing them of accessing child pornography.

This specific version of Svpeng quickly disappeared, probably because the malware author decided to improve it, anyway the original version of the malware continued to hit Russian mobile banking customers.

In July the same Svpeng ransomware began targeting mainly US Android users and, according to the experts at Kaspersky Lab, other victims were observed in UK, Switzerland, Germany, India and Russia.

“At the beginning of June we identified a new spin-off version of the trojan,” Unuchek wrote in the blog post. “While the main version targeted Russia, 91% of those infected by the new version were in the US. The malware also attacked users in the UK, Switzerland, Germany, India and Russia.”

The ransomware locks the user’s mobile, then displays a bogus FBI message informing the victim that the device was used to visit websites proposing pornographic content. The Svpeng malware requests to unlock the phone a ransom of $200 to pay via MoneyPak payment system.

Svpeng is considered different from other ransomware like CryptoLocker and Simplocker as explained by Unuchek:

“It is impossible to repel an attack of American Svpeng if a mobile device doesn’t have a security solution – the malware will block the device completely, not separate files as CryptoLocker did,” Unuchek wrote.  “If it happens to you, you can do almost nothing. The only hope for unlocking the device is if it was already rooted before it was infected. Then it could be unlocked without deleting the data. One more option to remove the trojan, if your phone wasn’t rooted, is to boot into ‘Safe Mode’ and erase all data on the phone only, [since] SIM and SD cards will stay untouched and uninfected.”

Svpeng ransomware variant checks include information stealer capabilities, it search for mobile banking apps (Bank of America, USAA, Wells Fargo and other US bank apps) on victims’ device.

“For now, this piece of malware does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known trojan that operates in Russia and is used mainly for money stealing,” “Additionally, the trojan’s code contains some mentions of the Cryptor method which was not used yet, so it is likely that soon it will be utilized to encrypt user data and demand a ransom to decrypt it.”Unuchek wrote. 

It’s a question of time, a new variant of Svpeng will target also many other bank apps.

Stay tuned!

Pierluigi Paganini

(Security Affairs –  Svpeng,  ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.