Svpeng is a family of mobile Trojans that targets Android OS and combines the functionality of a banking Trojan with that of ransomware. It is currently being distributed through Google’s AdSense advertising network. The Trojan is downloaded as an APK file named last-browser-update.apk as soon as the Android device is used to visit a website displaying the malicious advertisement. If this file is installed either manually or automatically, the latest version of Svpeng begins scanning the device for various financial and banking apps and uses phishing overlays to capture and transmit the victim’s login credentials and other sensitive data. It can also intercept, send, and delete text messages on the device. Some versions lock the screen with a fake FBI notice, demanding a payment of $200 in the form of Green Dot’s MoneyPak cards. Svpeng originally only targeted victims within Russia; however, in June 2014, Kaspersky Lab reported that the Android Trojan had begun targeting victims within the US.
- July 2017: Svpeng trojan delivers a keylogger and steals everything through accessibility services (Securelist)
- November 2016: Svpeng Android bankingTrojan is being distributed via a security vulnerability in Google Chrome. (Securelist)
- June 2014: Kaspersky Lab discovers Svpeng targeting victims in the US. (Kaspersky Lab)
- Kaspersky Lab provides technical details about Svpeng, including IoCs, here.