The Svpeng malware is doing more than threatening cellphones — it's testing the line between prudence and overreaction when it comes to financial services security.
Despite Svpeng's potential ability to wreak havoc, there have been no reported victims of this malware in the U.S. since it was discovered here a few weeks ago.
Experts are sharply divided over the proper level of alarm. Some argue that warnings about it amount to a lot of unnecessary fear. Others say to close one's eyes to the threat would be unwise.
Bill Nelson, the president and chief executive of the Financial Services Information Sharing and Analysis Center (FS-ISAC), is one of those who sees little cause for concern.
"We haven't seen any reports of [Svpeng]," says Nelson, whose Washington, D.C., organization gathers security incident information from 4,700 member banks, aggregates it and sends it back to them in anonymous form.
"You've got hundreds of things to worry about — you worry about things that are really affecting your institution. We face vulnerabilities and threats every month," he says.
Doug Brown, the senior vice president and general manager of the mobile division of core banking provider FIS, agrees.
"It's just another piece of the story on the security front," he says. "Factually, we have not seen it impact any of our customers; they haven't reported it to us."
FIS, in Jacksonville, Fla., is the largest core banking vendor by revenue. It has 1,600 bank customers.
Skeptics point to past cases of sensationalized malware that never lived up to their threats of damage.
In 2012 a variant of the Gozi Trojan called Prinimalka was supposed to be able to transfer money in and out of bank accounts in real time without banks ever noticing, says David Britton, the vice president of industry solutions at security software company 41st Parameter, which was acquired last year by Experian. That proved to be an exaggeration.
"When we dissected it we found that some of the claims were true," he says. "It was trying to clone devices, but the reality is it fell far short of its claims," Britton says.
Yet others say it's still early and that the risks remain serious.
When Svpeng — a piece of financial "ransomware" targeting Android devices — surfaced in the U.S., it appeared to be more destructive than any mobile banking malware that had come before it.
It scans for the presence of specific mobile banking apps, collects data about those apps and sends them to a central location. It also locks down a user's phone and demands ransom money to unlock it.
So not only is it capable of being extremely inconvenient to mobile banking users, who are forced to choose between paying the ransom (which is a really bad idea) and buying a new phone, it also has the capability of stealing account credentials and being used to commit financial fraud against banks.
Svpeng has caused millions of dollars of damage among thousands of victims in Russia and other countries, according to researchers at Kaspersky Lab, the software firm that discovered Svpeng in the U.S. It's been used to steal login and password information from mobile banking customers of three of Russia's largest banks. It has stolen card information
"To dismiss it completely would be like staring at Mount Vesuvius while living in Roman Pompeii and saying we should ignore the tremors because they caused no damage," says Alphonse Pascual, practice leader for fraud and security at Javelin Strategy & Research. Javelin is advising clients of the threat and encouraging them to educate consumers about it — and to quickly reset victims' banking credentials.
Shirley Inscoe, senior analyst at Aite Group, agrees.
"If I were a bank [chief information officer], Svpeng would be a big wake-up call and I would be taking it very seriously," she says. "We've seen the malware used in Russia to steal a lot of money and drain many cardholders' accounts. We don't want that to happen here in the U.S., and to date I think we're pretty vulnerable because we haven't educated our customers and some [anti-fraud] technologies have not been implemented."
Nelson, one of the skeptics, acknowledges that Svpeng could be a problem in the future.
"We need to be aware of more malware for mobile devices out there," he says. His group is also concerned about classic social engineering techniques that get someone to click on a link on their smartphone. "That can lead to compromises of your user ID and password," he says.