From Russia with Malware: Svpeng Mobile Banking Trojan

Like almost everything else, financial transactions have gone from in-person to digital in a matter of years. In 1999, only 11% of Internet users banked online, yet today that number has jumped to 61%, with many of those same users banking via mobile devices as well. But, while the acceptance of mobile and online banking has become more widespread, awareness around mobile-specific security risks has definitely not.

Up until now, most financial organizations operated under the guise of “ignorance is bliss” with regard to educating users and employees about the importance of safe mobile security habits. While users are certainly much more comfortable with checking account balances and depositing checks remotely than they were 10 years ago, oftentimes along with comfort comes complacency—and that can be detrimental to your online safety.

However, a recently discovered banking Trojan named “Svpeng” may be the one to wake companies and users out of their collective security slumbers. Originating in Russia, Svpeng has crossed the ocean and taken on a dangerous pattern beyond other forms of mobile ransomware I have discussed before. What sets this sneaky piece of code apart is the way in which it utilizes several different attack styles to accomplish the endgame.

To start with, the malware worms its way onto a victim’s mobile device through social engineering in the form of text messages. Social engineering tactics typically utilize readily available information about a user to trick them into revealing other, more sensitive information like passwords. Once Svpeng has gotten into a device, it will look for banking apps from specific financial institutions like Citigroup, American Express, Wells Fargo, and others. The final move it makes is to lock the device down and demand $200 in Green Dot MoneyPak cards (reloadable debit cards preferred by hackers) to have the devices unlocked.

According to security experts, Svpeng is one of the most dangerous mobile banking threats to emerge so far, and organizations must use this as a warning to improve security and increase user awareness. This Trojan and its creators are satisfied with locking down mobile devices for ransom for now—but there is nothing keeping them or others from graduating to stealing banking credentials and much more with the same technology.

It is crucial to exercise good technology habits when taking advantage of the conveniences of mobile banking. Below are some quick ways to steer clear of most mobile malware and other threats:

  • Avoid sharing revealing information about yourself online. Clever hackers can potentially use the seemingly innocuous tidbits you share about yourself to get into your accounts through social engineering. People commonly use pet names, birthdates, favorite foods, etc. as passwords for financial and other accounts, which can be easily guessed with the right amount of determination.
  • Beware of responding to anonymous text messages. It is a best practice to avoid opening text messagesor clicking on links from someone you don’t know. Additionally, even if the message appears to come from your bank, never provide personal information.Legitimate institutions will direct you to a website or customer service line instead.
  • Never perform banking activities over public Wi-Fi networks. There is no doubt that mobile banking can make life a lot easier, but the convenience can sometimes come with a price. If checking your account balance on a mobile phone is a necessity, then make sure you only do it on a private wireless network.
  • Avoid downloading apps from third parties. Apps that are on third-party app stores are often there for a reason, and frequently contain malware. By taking this one simple step, you can eradicate the risk of downloading Trojans like Svpeng.
  • Install security software on all mobile devices. Svpeng is just the beginning, so it’s important to stay one step ahead of current and future threats. Having security software installed on your device is an essential part of protecting your privacy. McAfee® Mobile Security, is free for both Android and iOS, and offers a variety of protections, including ones to help avoid Trojans like Svpeng for Android users.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post From Russia with Malware: Svpeng Mobile Banking Trojan appeared first on McAfee Blogs.