New Variant of Notorious Svpeng Currently for Sale on the Russian Underground

In recent days, there have been numerous reports about the new Svpeng variant, with extended capabilities. These capabilities include keystroke logging and taking control of many device functions, using the accessibility services feature.

The cross-check investigation we performed here at SenseCy identified this Trojan as a new product dubbed CryEye Android Banker, currently for sale on a Russian-language underground forum. The malware has also been offered for rent since mid-July 2017, for a percentage of future profits, and its claimed capabilities are very similar to those of the analyzed Svpeng samples.

1
The sales thread published on a prominent underground forum

According to the description that appears in the sales thread, after installation, the Trojan attempts to gain access to the Accessibility Services of the infected device, to enable it to operate various elements in the UI, such as dialogue windows and system menus. Then, CryEye will add itself into the device administrators list and turn itself into the default SMS app, in addition to receiving the rights to take screenshots (class MediaProjection is used for this purpose). All these actions can run invisibly, undetected by the user, since CryEye approves the system notification the moment it pops up.

The commands that the Trojan can receive and complete are:

  • Sending SMS with a pre-defined text to a pre-defined number
  • Interception and deletion of SMS on all Android versions
  • Sending the server SMS stored in the device memory
  • Opening specified links
  • Changing the address of the C&C server
  • Forwarding information to the server about the installed applications, contact list and phone call details

In addition to overlay apps targeting users of specified applications, the Trojan possesses keylogging capabilities. A screenshot is taken and sent to the C&C server after each action performed on the keyboard.

Of note, neither the seller, nor his advertisement have gained trust among other members of the forum where it was posted.

According to the information that appears in the sales thread, a Russian security company spotted this malware as early as July 20, classifying it as Android.BankBot.211.origin.

Android-BankBot-211
Screenshots showing the CryEye Trojan in action. Source: Dr. WEB

The CryEye Trojan is reportedly being distributed at present disguised as an Adobe Flash Player application.

IOCs:

31dcc7e230072ef57e09b2bc458657ec

f536bc5b79c16e9a84546c2049e810e1

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s