Svpeng Android ransomware is impossible to repel after the infection

Experts at Kaspersky Lab are following the evolution of Svpeng Android malware, born as banking trojan and evolved in ransomware which hit US customers.

The mobile malware Svpeng is evolving and recent versions were adapted to classic extortion scheme targeting Android devices in the US.

Svpeng was detected for the first time one year ago by experts at Kaspersky Lab, first instances were designed to steal payment card information from customers of a Russian bank. In the last weeks, a new variant of Svpeng malware was identified, it has been locking up mobile devices of US users and request a ransom.

According to senior malware analysts Roman Unuchek, early this year Svpeng was modified to implement ransomware capabilities.

As described by Unuchek in a blog post, the malicious code hit Russian users’ devices blocking their smart phones and displaying messages accusing them of accessing child pornography.

svpeng hit Russians users

This specific version of Svpeng quickly disappeared, probably because the malware author decided to improve it, anyway the original version of the malware continued to hit Russian mobile banking customers.

In July the same Svpeng ransomware began targeting mainly US Android users and, according to the experts at Kaspersky Lab, other victims were observed in UK, Switzerland, Germany, India and Russia.

“At the beginning of June we identified a new spin-off version of the trojan,” Unuchek wrote in the blog post. “While the main version targeted Russia, 91% of those infected by the new version were in the US. The malware also attacked users in the UK, Switzerland, Germany, India and Russia.”

The ransomware locks the user’s mobile, then displays a bogus FBI message informing the victim that the device was used to visit websites proposing pornographic content. The Svpeng malware requests to unlock the phone a ransom of $200 to pay via MoneyPak payment system.

Svpeng is considered different from other ransomware like CryptoLocker and Simplocker as explained by Unuchek:

“It is impossible to repel an attack of American Svpeng if a mobile device doesn’t have a security solution – the malware will block the device completely, not separate files as CryptoLocker did,” Unuchek wrote.  “If it happens to you, you can do almost nothing. The only hope for unlocking the device is if it was already rooted before it was infected. Then it could be unlocked without deleting the data. One more option to remove the trojan, if your phone wasn’t rooted, is to boot into ‘Safe Mode’ and erase all data on the phone only, [since] SIM and SD cards will stay untouched and uninfected.”

Svpeng ransomware variant checks include information stealer capabilities, it search for mobile banking apps (Bank of America, USAA, Wells Fargo and other US bank apps) on victims’ device.

“For now, this piece of malware does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known trojan that operates in Russia and is used mainly for money stealing,” “Additionally, the trojan’s code contains some mentions of the Cryptor method which was not used yet, so it is likely that soon it will be utilized to encrypt user data and demand a ransom to decrypt it.”Unuchek wrote. 

It’s a question of time, a new variant of Svpeng will target also many other bank apps.

Stay tuned!

Pierluigi Paganini

(Security Affairs –  Svpeng,  ransomware)