{ "Event": { "analysis": "2", "date": "2017-08-01", "extends_uuid": "", "info": "OSINT - A new era in mobile banking Trojans", "publish_timestamp": "1501574716", "published": true, "threat_level_id": "3", "timestamp": "1501574673", "uuid": "5980127d-ada0-479d-b976-c51d02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#37ab00", "name": "enisa:nefarious-activity-abuse=\"mobile-malware\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1501565723", "to_ids": false, "type": "link", "uuid": "5980129d-2974-4203-bdc2-c50502de0b81", "value": "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1501565723", "to_ids": false, "type": "text", "uuid": "598012ae-e154-4183-ab6a-4c7202de0b81", "value": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng \u00e2\u20ac\u201c Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.\r\n\r\nAccessibility services generally provide user interface (UI) enhancements for users with disabilities or those temporarily unable to interact fully with a device, perhaps because they are driving. Abusing this system feature allows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more permissions and rights, and to counteract attempts to uninstall the Trojan.\r\n\r\nAttack data suggests this Trojan is not yet widely deployed. In the space of a week, we observed only a small number of users attacked, but these targets spanned 23 countries. Most attacked users were in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%). It is worth noting that, even though most attacked users are from Russia, this Trojan won\u00e2\u20ac\u2122t work on devices running the Russian language. This is a standard tactic for Russian cybercriminals looking to evade detection and arrest.\r\n\r\nThe Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money. In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability in the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families, and it is why we monitor the functionality of new versions.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data.", "deleted": false, "disable_correlation": false, "timestamp": "1501565723", "to_ids": true, "type": "md5", "uuid": "598012cd-6988-42ec-85da-4dc702de0b81", "value": "f536bc5b79c16e9a84546c2049e810e1" }, { "category": "Payload delivery", "comment": "The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data. - Xchecked via VT: f536bc5b79c16e9a84546c2049e810e1", "deleted": false, "disable_correlation": false, "timestamp": "1501565724", "to_ids": true, "type": "sha256", "uuid": "5980131c-fe10-49da-a972-48b402de0b81", "value": "74cd5726209dee35f7284f27d08aa6265a54e7b338996db26f30140f92156494" }, { "category": "Payload delivery", "comment": "The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data. - Xchecked via VT: f536bc5b79c16e9a84546c2049e810e1", "deleted": false, "disable_correlation": false, "timestamp": "1501565724", "to_ids": true, "type": "sha1", "uuid": "5980131c-a47c-4c4d-8f2e-44ba02de0b81", "value": "04f97d1dffb518232e465a8c977f384cedbceaac" }, { "category": "External analysis", "comment": "The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data. - Xchecked via VT: f536bc5b79c16e9a84546c2049e810e1", "deleted": false, "disable_correlation": false, "timestamp": "1501565724", "to_ids": false, "type": "link", "uuid": "5980131c-aff0-42c3-a038-468102de0b81", "value": "https://www.virustotal.com/file/74cd5726209dee35f7284f27d08aa6265a54e7b338996db26f30140f92156494/analysis/1501535676/" }, { "category": "Other", "comment": "extracted from metadata 74cd5726209dee35f7284f27d08aa6265a54e7b338996db26f30140f92156494", "deleted": false, "disable_correlation": false, "timestamp": "1501574673", "to_ids": false, "type": "datetime", "uuid": "59803611-b3f4-48f0-9af1-471f950d210f", "value": "2017-07-13T00:08:36" } ] } }