It did the latter by sending SMS messages to numbers of two Russian banks, checking in this way if that particular phone number has a card tied to it. If the answer is yes, the malware proceeds to send that information to a C&C, from which it receives commands to transfer money from the victim’s account to one controlled by the attackers.
Svpeng is currently only made to target Russian users, even though a widening of the potential victim pool is likely, as it does have the ability to detect the device’s operating system’s language setting. It is propagated via bogus SMS messages.
This latest change makes the malware detect when a user launches a banking app of a specific (and one of the largest) Russian banks, and substitute the opened window with a spoofed one that is programmed to send the entered login credentials to the crooks behind this scheme.
In addition to this, the malware does the same thing when the user launches Google Play, and it shows a bogus window in which the user is asked to enter his or her credit card details. Once again, the data is sent to the crooks.
Svpeng also has a good protection mechanism against mobile AV solutions.
“To prevent security products from deleting it, the Trojan still uses the standard Android tool – deviceAdmin,” explains Kaspersky Lab expert Roman Unuchek. “To prevent the user from disabling DeviceAdmin, the Trojan uses a previously unknown vulnerability in Android. In the same way it tries to prevent resetting of the phone to factory settings.”