{
	"id": "854fbf60-c336-4608-a2ae-080723fa18bf",
	"created_at": "2026-04-06T00:13:14.895581Z",
	"updated_at": "2026-04-10T13:11:21.302555Z",
	"deleted_at": null,
	"sha1_hash": "3c8e15f23fe8c04a9abab9b9165aae8f1314c136",
	"title": "A new era in mobile banking Trojans",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 396982,
	"plain_text": "A new era in mobile banking Trojans\r\nBy Roman Unuchek\r\nPublished: 2017-07-31 · Archived: 2026-04-05 12:53:47 UTC\r\nIn mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng –\r\nTrojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it\r\nnow also works as a keylogger, stealing entered text through the use of accessibility services.\r\nAccessibility services generally provide user interface (UI) enhancements for users with disabilities or those\r\ntemporarily unable to interact fully with a device, perhaps because they are driving. Abusing this system feature\r\nallows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more\r\npermissions and rights, and to counteract attempts to uninstall the Trojan.\r\nAttack data suggests this Trojan is not yet widely deployed. In the space of a week, we observed only a small\r\nnumber of users attacked, but these targets spanned 23 countries. Most attacked users were in Russia (29%),\r\nGermany (27%), Turkey (15%), Poland (6%) and France (3%). It is worth noting that, even though most attacked\r\nusers are from Russia, this Trojan won’t work on devices running the Russian language. This is a standard tactic\r\nfor Russian cybercriminals looking to evade detection and arrest.\r\nThe Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin\r\nattacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and\r\ndemand money. In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability\r\nin the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families, and it is why we\r\nmonitor the functionality of new versions.\r\nThe attack process\r\nAfter starting, the Trojan-Banker.AndroidOS.Svpeng.ae checks the device language and, if it is not Russian, asks\r\nthe device for permission to use accessibility services. In abusing this privilege, it can do many harmful things. It\r\ngrants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and\r\ngrants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read\r\ncontacts. Furthermore, using its newly-gained abilities the Trojan can block any attempt to remove device\r\nadministrator rights – thereby preventing its uninstallation. It is interesting that in doing so it also blocks any\r\nattempt to add or remove device administrator rights for any other app too.\r\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 1 of 7\n\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 2 of 7\n\nSvpeng was able to become a device administrator without any interaction with the user just by using accessibility\r\nservices.\r\nUsing accessibility services allows the Trojan to get access to the UI of other apps and to steal data from them,\r\nsuch as the names of the interface elements and their content, if it is available. This includes entered text.\r\nFurthermore, it takes screenshots every time the user presses a button on the keyboard, and uploads them to the\r\nmalicious server. It supports not only the standard Android keyboard but also a few third-party keyboards.\r\nSome apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the\r\nTrojan has another option to steal data – it draws its phishing window over the attacked app. It is interesting that,\r\nin order to find out which app is on top, it uses accessibility services too.\r\nFrom the information Svpeng receives from its command and control server (CnC), I was able to intercept an\r\nencrypted configuration file and decrypt it to find out the attacked apps, and to obtain a URL with phishing pages.\r\nI uncovered a few antivirus apps that the Trojan attempted to block, and some apps with phishing URLs to overlay\r\nthem. Like most mobile bankers, Svpeng overlays some Google apps to steal credit card details.\r\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 3 of 7\n\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 4 of 7\n\nAlso, the config file contained a phishing URL for the PayPal and eBay mobile apps to steal credentials and URLs\r\nfor banking apps from different countries:\r\nUK– 14 attacked banking apps\r\nGermany – 10 attacked banking apps\r\nTurkey– 9 attacked banking apps\r\nAustralia– 9 attacked banking apps\r\nFrance– 8 attacked banking apps\r\nPoland– 7 attacked banking apps\r\nSingapore– 6 attacked banking apps\r\nThere was one more app in this configuration file – Speedway app, which is a rewards app, not a financial app.\r\nSvpeng will overlay it with a phishing window to steal credentials.\r\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 5 of 7\n\nIt can also receive commands from the CnC:\r\nTo send SMS\r\nTo collect info (Contacts, installed apps and call logs)\r\nTo collect all SMS from the device\r\nTo open URL\r\nTo start stealing incoming SMS\r\nDistribution and protection\r\nThe Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its\r\nmalicious techniques work even on fully-updated devices with the latest Android version and all security updates\r\ninstalled. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of\r\ndata.\r\nMD5\r\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 6 of 7\n\nF536BC5B79C16E9A84546C2049E810E1\r\nSource: https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nhttps://securelist.com/a-new-era-in-mobile-banking-trojans/79198/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/"
	],
	"report_names": [
		"79198"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c8e15f23fe8c04a9abab9b9165aae8f1314c136.pdf",
		"text": "https://archive.orkl.eu/3c8e15f23fe8c04a9abab9b9165aae8f1314c136.txt",
		"img": "https://archive.orkl.eu/3c8e15f23fe8c04a9abab9b9165aae8f1314c136.jpg"
	}
}