Skip to main content

Mutant Malware Threatens US Android Phones

An image from the new US-targeted version of Svpeng Ransomware. Credit: Kaspersky.

(Image credit: An image from the new US-targeted version of Svpeng Ransomware. Credit: Kaspersky. )

Meet Svpeng. Svpeng is an Android Trojan, a piece of malware that sneaks onto smartphones and tablets and runs harmful code. When Svpeng first appeared about a year ago, it was just one of many SMS-based banking Trojans, stealing money from SMS banking accounts in Russia and generally wreaking minor havoc on the Android platform. A nuisance, to be sure, but nothing exceptional, as far as Android malware goes.

But in the past year, little Svpeng has grown up. Now various versions of Svpeng can target mobile banking apps, disguise themselves as the Google Play store and even lock up infected phones and hold them for ransom. What's more, little Svpeng has moved out of its home in Russia and is now infecting Android devices all over the world, including the United States.

MORE: Best Android Antivirus Software 2014

Moscow-based security company Kaspersky Lab, which first detected Svpeng, says that just a few months after its discovery, the malware  already showed new abilities. For example, Svpeng gained the ability to remain hidden on infected phones until users access certain mobile banking apps.

Svpeng blocked those legitimate banking apps from opening, and instead launched a fake interface designed to look like the real app. Disguised as a banking app, Svpeng prompted users to enter their banking credentials, which were sent on to the criminals behind the malware.

Svpeng also did something similar with the Google Play store. When a user with a Svpeng-infected phone tapped the Google Play app, Svpeng launched an overlay designed to look like an authentic part of the app, which asked users to "re-enter" credit-card numbers or other financial information.

But that's wasn't all. Early in 2014, Svpeng decided that being a banking Trojan just wasn't adequate to express its full identity. Svpeng now incorporates ransomware features specific to "police Trojans."

In those variants, Svpeng would replace the regular Android screen with a message, allegedly from local law enforcement, claiming that the phone's owner had been caught viewing child pornography and would need to pay a fine of $500 in order to unlock the phone. 

Soon after that, reports Kaspersky, Svpeng's creators decided to spin off its ransomware component into an entirely separate piece of malware. This new version of Svpeng got a makeover in looks as well as strength: Its screen overlay stops Android users from accessing any other device functions, and is difficult to circumvent because the malware launches upon reboot. (Affected users should use Google to learn how to put their specific device into "safe mode," which may get around the lockout.)

The creators have also customized the new variant of Svpeng to target Android users in the United States, tricking out the lock screen with an FBI logo. This version takes a picture of the infected phone's user with the device's front-facing camera and displays it on the screen, claiming the FBI have the image and know the user's face.

Users are then told to pay $200 in MoneyPak vouchers if they want to regain control of their phones, and are even directed users to stores in the U.S. that sell the vouchers.

According to Kaspersky, 91 percent of the devices infected by this new Svpeng ransomware variant were located in the U.S., though it's also been detected on phones in the United Kingdom, Switzerland, Germany, India and Russia.

Svpeng isn't even done growing yet. Kaspersky also found evidence in Svpeng's code that the criminals might be prepping it to encrypt an infected phone's files, thus making the files inaccessible even if the devices are rebooted in safe mode. Like owners of PCs encrypted by the recently defanged Cryptolocker ransomware Trojan, users of Android phones infected by Svpeng could then be forcing to pay for the encryption key to decrypt the files.

Kaspersky researchers also found that Svpeng was scanning the phones for installed apps pertaining to major U.S. banks, then sends the results to command-and-control servers, possible as a reconnaissance operation for future attacks.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.