Alleged Creator of Svpeng Android Malware Arrested in Russia

A 25-year-old individual has been arrested by law enforcement authorities on suspicion of being the developer of Svpeng, an Android Trojan used by cybercriminals to target online banking customers, Russia’s Ministry of Internal Affairs reported on Saturday.

In addition to the 25-year-old who is believed to be the malware’s creator, officers arrested four other individuals suspected of being part of a cybercriminal group that used the Trojan to steal money from bank accounts. The suspects are from Russia’s Chelyabinsk region, the ministry said in a report on its Russian-language website.

The Russian Interior Ministry’s Cybercrime Department “K,” which also took part in the takedown of the Simda botnet last week, said the suspects confessed to their crimes. They have been charged with theft, and creating, using and distributing malicious computer programs.

Officers seized computers, mobile phones, SIM cards, servers, media devices and payment cards during searches. A preliminary estimate shows that the cybercrooks caused damage worth more than 50 million rubles (nearly USD 1 million), the Interior Ministry said.

Investigators are now trying to determine if the suspects are involved in other similar cybercrime operations.

In a blog post published on Monday, Russia-based cyber security firm Group-IB, which assisted authorities in their investigation, reported that the crime ring, called “The Fascists,” named its malware management system “The fifth Reich.”

The existence of the Svpeng Trojan was first brought to light in July 2013 by Kaspersky Lab, whose products detect the threat as Trojan-SMS.AndroidOS.Svpeng.

In the summer of 2014, Kaspersky reported that while the Trojan’s main version was still primarily used to target Russians, a new variant of Svpeng had been targeting users in the United States and Europe. This new variant leveraged ransomware functionality to help its operators make money.

According to Group-IB, the Russian cybercriminals first started stealing money from their victims’ accounts by using SMS banking. The malware intercepted all SMS messages on the infected phone and then used SMS banking to send commands for money transfers. The Trojan intercepted the payment confirmation codes to ensure that the transfer could be completed without raising suspicion.

The cybercrooks later started using phishing websites to trick users into handing over their credit card details. The malware was designed to open a new window on top of the regular Google Play interface, instructing users to enter their payment card data. The attackers’ server used an algorithm to ensure that the provided data was valid.

Researchers said the attackers then started collecting online banking login credentials. The malware monitored users’ activities and replaced the legitimate application with a phishing page when a targeted banking app was launched. By having access to usernames, passwords, and verification SMS messages sent by the banks, the fraudsters could easily access victims’ accounts and steal their money.

The malware was distributed with the aid of SMS messages containing a fake download link for Adobe Flash Player, Group-IB said.