An Android Trojan Swindles Banking Credentials

A new variation of the Svpeng Trojan uses several tricks to phish for credit card numbers and online banking credentials.

Android malware now has a well-established track record of monetary theft, which is typically accomplished by sending text messages to premium rate numbers. At the end of summer we wrote about a new Trojan, which was able to steal from a debit/credit card if the card was bound to a phone number. Cybercriminals never stop inventing new ways to steal money or find the means to access money from unsuspecting victims. A new variation of the aforementioned Svpeng Trojan uses several tricks to phish for credit card numbers and online banking credentials.


It is worth mentioning that the specific sample we discovered targets Russian users, however, Russia often serves as a testing ground for cybercriminals. Well-proven schemes usually go overseas quite quickly. For now, the malware appears to be interested in U.S., German, Belarusian and Ukrainian victims. Currently the Trojan is configured to mimic popular Russian banks. Upon the launch of the mobile banking app, the Trojan replaces the open window with its own to swindle out the password.

Screen Shot 2013-11-07 at 2.15.15 PM

Another implemented attack is more versatile as it targets Google Play users. When victim launch the Android online market app, the Trojan overlaps Google’s windows with its own and proposes that users add a credit card to the account.

Screen Shot 2013-11-07 at 2.15.27 PM

During three months of the Trojan’s existence, Kaspersky Lab has discovered over 50 modifications of this malware, which means that criminals recognize its high “commercial value”. No doubt, we will see new versions of the Trojan that will able to steal from clients of various banks in multiple countries very soon. The current version spread itself using SMS spam, but other variations might utilize another infection tactic.

To avoid infection, follow the Android user golden rules:

  • Switch off “Allow installation from unknown sources” in security settings
  • Use Google Play, do not use untrusted third-party app stores
  • Before installing a new app, check every permission requested by this app and consider if those permissions are reasonable for that type of app
  • Check app ratings and download counts, avoid applications with low ratings and a small number of downloads

Use full-scale security protection for your Android