In recent days, there have been numerous reports about the new Svpeng variant, with extended capabilities. These capabilities include keystroke logging and taking control of many device functions, using the accessibility services feature.
The cross-check investigation we performed here at SenseCy identified this Trojan as a new product dubbed CryEye Android Banker, currently for sale on a Russian-language underground forum. The malware has also been offered for rent since mid-July 2017, for a percentage of future profits, and its claimed capabilities are very similar to those of the analyzed Svpeng samples.
According to the description that appears in the sales thread, after installation, the Trojan attempts to gain access to the Accessibility Services of the infected device, to enable it to operate various elements in the UI, such as dialogue windows and system menus. Then, CryEye will add itself into the device administrators list and turn itself into the default SMS app, in addition to receiving the rights to take screenshots (class MediaProjection is used for this purpose). All these actions can run invisibly, undetected by the user, since CryEye approves the system notification the moment it pops up.
The commands that the Trojan can receive and complete are:
- Sending SMS with a pre-defined text to a pre-defined number
- Interception and deletion of SMS on all Android versions
- Sending the server SMS stored in the device memory
- Opening specified links
- Changing the address of the C&C server
- Forwarding information to the server about the installed applications, contact list and phone call details
In addition to overlay apps targeting users of specified applications, the Trojan possesses keylogging capabilities. A screenshot is taken and sent to the C&C server after each action performed on the keyboard.
Of note, neither the seller, nor his advertisement have gained trust among other members of the forum where it was posted.
According to the information that appears in the sales thread, a Russian security company spotted this malware as early as July 20, classifying it as Android.BankBot.211.origin.
The CryEye Trojan is reportedly being distributed at present disguised as an Adobe Flash Player application.