Russian authorities nab Android banking malware kingpin

The Russian Interior Ministry has arrested the alleged leader a gang operating the Svpeng Android banking malware and ransomware aimed at English speaking targets.

The ministry announced on Sunday that it had arrested a 25 year old who is accused of developing and operating the banking trojan. It also detained four other people said to be linked to the operation who’ve confessed to the allegations.

The Svpeng malware first came to the attention of security researchers in 2013, when it was targeting customers of the large Russian bank, Sberbank. If victims launched the bank's app they would be presented with a fake window designed to steal login credentials for accounts. The malware used a similar technique when devices launched the Google Play store app.

fake window designed to steal login credentials for accounts: http://securelist.com/blog/57301/the-android-trojan-svpeng-now-capable-of-mobile-phishing/

By the middle of last year however the malware was also targeting English language markets, primarily in the US and UK. But instead of phishing for online banking credentials directly, the malware was tweaked to deliver ransomware, which would encrypt an infected device until the victim paid up $500 via one of several online transfer services.

While the malware didn’t directly seek online credentials for US and UK banking customers, it nonetheless surveyed infected smartphones for the presence of apps from US and UK financial institutions, including Chase Mobile, Bank of America, Amex, Citi. The attacks did not target Australian financial customers. The attackers were probably doing homework for future attacks in which login and password details would be stolen, Russian security firm Kaspersky noted at the time.

According to the ministry, it seized a “significant amount” of computers containing evidence they’d been used to spread the Svpeng malware, implicating the group in the theft of 50 million rules ($952m). It also seized mobile phones, SIM cards, servers and credit cards.

The Svpeng Android malware was one of a few strains of mobile ransomware that emerged following the rise of encryption ransomware for Windows desktop systems over the past three years. Another for Android called Android/Simplocker.A encrypted files stored on the SD card of a smartphone.

Group-IB, a Russian security firm that assisted the Russian ministry in the arrests, said that Svpeng malware originally targeted credit card information in Russian language nations but later included online banking credentials.

The monetary value of damage cause by Svpeng is small relative to some of the bigger cybercrime operations in Russia. In December last year Group-IB and Dutch security outfit Fox-IT reported a cybercriminal network they dubbed Anunak that had stolen over US$25 million through malware designed for automatic teller machines tellers and point of sale systems. The hackers behind that operation remain at large and mostly targeted businesses in Russia and the Ukraine.

This article is brought to you by Enex TestLab, content directors for CSO Australia.