Svpeng Malware: Empty Threat or Cause for Alarm?

The Svpeng malware is doing more than threatening cellphones — it's testing the line between prudence and overreaction when it comes to financial services security. 

Despite Svpeng's potential ability to wreak havoc, there have been no reported victims of this malware in the U.S. since it was discovered here a few weeks ago.

Experts are sharply divided over the proper level of alarm. Some argue that warnings about it amount to a lot of unnecessary fear. Others say to close one's eyes to the threat would be unwise.

Bill Nelson, the president and chief executive of the Financial Services Information Sharing and Analysis Center (FS-ISAC), is one of those who sees little cause for concern.

"We haven't seen any reports of [Svpeng]," says Nelson, whose Washington, D.C., organization gathers security incident information from 4,700 member banks, aggregates it and sends it back to them in anonymous form.

"You've got hundreds of things to worry about — you worry about things that are really affecting your institution. We face vulnerabilities and threats every month," he says.

Doug Brown, the senior vice president and general manager of the mobile division of core banking provider FIS, agrees.

"It's just another piece of the story on the security front," he says. "Factually, we have not seen it impact any of our customers; they haven't reported it to us."

FIS, in Jacksonville, Fla., is the largest core banking vendor by revenue. It has 1,600 bank customers.

Skeptics point to past cases of sensationalized malware that never lived up to their threats of damage.

In 2012 a variant of the Gozi Trojan called Prinimalka was supposed to be able to transfer money in and out of bank accounts in real time without banks ever noticing, says David Britton, the vice president of industry solutions at security software company 41st Parameter, which was acquired last year by Experian. That proved to be an exaggeration.

"When we dissected it we found that some of the claims were true," he says. "It was trying to clone devices, but the reality is it fell far short of its claims," Britton says.

Yet others say it's still early and that the risks remain serious.

When Svpeng — a piece of financial "ransomware" targeting Android devices — surfaced in the U.S., it appeared to be more destructive than any mobile banking malware that had come before it. 

It scans for the presence of specific mobile banking apps, collects data about those apps and sends them to a central location. It also locks down a user's phone and demands ransom money to unlock it.

So not only is it capable of being extremely inconvenient to mobile banking users, who are forced to choose between paying the ransom (which is a really bad idea) and buying a new phone, it also has the capability of stealing account credentials and being used to commit financial fraud against banks.

Svpeng has caused millions of dollars of damage among thousands of victims in Russia and other countries, according to researchers at Kaspersky Lab, the software firm that discovered Svpeng in the U.S. It's been used to steal login and password information from mobile banking customers of three of Russia's largest banks. It has stolen card information

"To dismiss it completely would be like staring at Mount Vesuvius while living in Roman Pompeii and saying we should ignore the tremors because they caused no damage," says Alphonse Pascual, practice leader for fraud and security at Javelin Strategy & Research. Javelin is advising clients of the threat and encouraging them to educate consumers about it — and to quickly reset victims' banking credentials.

Shirley Inscoe, senior analyst at Aite Group, agrees.

"If I were a bank [chief information officer], Svpeng would be a big wake-up call and I would be taking it very seriously," she says. "We've seen the malware used in Russia to steal a lot of money and drain many cardholders' accounts. We don't want that to happen here in the U.S., and to date I think we're pretty vulnerable because we haven't educated our customers and some [anti-fraud] technologies have not been implemented."

Nelson, one of the skeptics, acknowledges that Svpeng could be a problem in the future.

"We need to be aware of more malware for mobile devices out there," he says. His group is also concerned about classic social engineering techniques that get someone to click on a link on their smartphone. "That can lead to compromises of your user ID and password," he says.

Svpeng, like most malware, uses social engineering to work its way into a user's device. In one attack method, it sends a text message to the customer that contains a link to a site that when clicked on downloads a malicious executable onto the user's device. In another, it catches a user visiting a porn site and pops a window up on the person's phone saying that if he wants to continue, he needs to download another piece of software, which turns out to be Svpeng. Once launched, it imitates an Adobe app and scans the phone, looking for apps from a specific list of financial institutions: USAA, Citigroup (NYSE), American Express (AXP), Wells Fargo (WFC), Bank of America (BAC), TD Bank, JPMorgan Chase (JPM), BB&T (BBT), and Regions Financial (RF).

Svpeng then displays an official-looking notice that appears to be from the FBI, saying prohibited content has been found on the phone and demanding a payment of $200, $300 or $500. It takes and displays a photo of the user from the phone or tablet camera to unsettle him.

"This is really well prepared social engineering," says Dmitry Bestuzhev, the head of the global research and analysis team for Latin America at Kaspersky Lab. "It's really scary."

The customer is asked to purchase MoneyPak vouchers and enter the voucher codes. The customer is told that if he doesn't send the money, all his contacts will receive a message about the prohibited content on his device. Some victims have already paid this ransom.

The creators of Svpeng are expected to modify the malware to enable it to steal victims' mobile banking credentials, as well as the answers to knowledge-based authentication questions. "We expect new editions of Svpeng very, very soon," says Bestuzhev. The new strains will be more complex and harder to detect, he says.

Theoretically Svpeng could target iPhone users as well as Android users. But in practice, this would be hard unless the iPhone has been "jailbroken," Bestuzhev says. To jailbreak an iPhone or iPad is to remove the manufacturer or carrier restrictions from the device.

There is little consumers can do once Svpeng takes over their phone. There's no way to remove it. They certainly should not pay the ransom fee. They can wipe the phone clean and start over, but there's still risk due to the information Svpeng will have already stolen about the user and his device.

"Once the device is infected, it's almost impossible to get it out," Bestuzhev says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER