A sophisticated banking Trojan malware known as "Svpeng" is evolving, according to cybersecurity firm Kaspersky Lab. Research now suggests it is exploiting "accessibility services", built into Android devices and designed for disabled users, to steal passwords and empty accounts.

The latest modifications were discovered in mid-July this year and – once on a device – experts found that it could intercept keystrokes, spy on other apps and use "overlay" screens to dupe victims into thinking they were putting their passwords into legitimate banking services.

The malicious software is currently designed to mirror at least 14 banking services based in the UK, revealed Kaspersky Lab security researcher Roman Unuchek in a blog post published on 31 July 2017.

He branded it "one of the most dangerous" mobile malware families. "Svpeng is distributed from malicious websites as a fake flash player," Unuchek stated.

"Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data."

The analyst revealed the Trojan is not yet widely distributed, but said that within the space of a single week it managed to spread across 23 countries. In that case, infected users were based in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%).

There are clear signs the malware's operators are Russian, the biggest being that the software does not infect devices using that language. "This is a standard tactic for Russian cybercriminals looking to evade detection and arrest," Unuchek noted in his detailed analysis of the malware.

After checking the language installed, the Trojan asks for permission to use the accessibility services. If accepted, it grants the hackers administrative control of the device meaning it can then use overlay screens, send and receive text messages, make phonecalls and read contacts.

In its new enhanced form, Svpeng can also block any attempts to remove admin rights in order to stop a user from uninstalling it. The malware takes screenshots every time the user presses the keyboard and uploads all the activity – and hijacked material – directly to the hacker.

"Some apps do not allow screenshots to be taken when they are on top," Unuchek wrote. "In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app. In order to find out which app is on top, it uses accessibility services too."

Analysis of the hackers' command and control (C&C) server showed how the malware attempted to block a selection of anti-virus tools, but these were not named. However, one file did reveal a selection of phishing URLs for a selection banking apps from around the world.

These included:

  • UK – 14 attacked banking apps;
  • Germany – 10 attacked banking apps;
  • Turkey – 9 attacked banking apps;
  • Australia – 9 attacked banking apps;
  • France – 8 attacked banking apps;
  • Poland – 7 attacked banking apps; and
  • Singapore – 6 attacked banking apps.

Malware targeting the customers of banks – especially on Android devices – is not new but it remains vital for experts to watch how criminal hackers and cybercriminals evolve their malware over time. Some, like the recent 'BankBot', have made it onto the official Google marketplace.

In November 2016, Kaspersky Lab revealed that the Svpeng Trojan had infected more than 300,000 devices in the span of just two months, with a rate of infection peaking at 37,000 victims in a day. In another case last year, it was found to be stealing credentials via Google's ad network.