Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Alleged Creator of Svpeng Android Malware Arrested in Russia

A 25-year-old individual has been arrested by law enforcement authorities on suspicion of being the developer of Svpeng, an Android Trojan used by cybercriminals to target online banking customers, Russia’s Ministry of Internal Affairs reported on Saturday.

A 25-year-old individual has been arrested by law enforcement authorities on suspicion of being the developer of Svpeng, an Android Trojan used by cybercriminals to target online banking customers, Russia’s Ministry of Internal Affairs reported on Saturday.

In addition to the 25-year-old who is believed to be the malware’s creator, officers arrested four other individuals suspected of being part of a cybercriminal group that used the Trojan to steal money from bank accounts. The suspects are from Russia’s Chelyabinsk region, the ministry said in a report on its Russian-language website.

The Russian Interior Ministry’s Cybercrime Department “K,” which also took part in the takedown of the Simda botnet last week, said the suspects confessed to their crimes. They have been charged with theft, and creating, using and distributing malicious computer programs.

Officers seized computers, mobile phones, SIM cards, servers, media devices and payment cards during searches. A preliminary estimate shows that the cybercrooks caused damage worth more than 50 million rubles (nearly USD 1 million), the Interior Ministry said.

Investigators are now trying to determine if the suspects are involved in other similar cybercrime operations.

In a blog post published on Monday, Russia-based cyber security firm Group-IB, which assisted authorities in their investigation, reported that the crime ring, called “The Fascists,” named its malware management system “The fifth Reich.”

The existence of the Svpeng Trojan was first brought to light in July 2013 by Kaspersky Lab, whose products detect the threat as Trojan-SMS.AndroidOS.Svpeng.

Advertisement. Scroll to continue reading.

In the summer of 2014, Kaspersky reported that while the Trojan’s main version was still primarily used to target Russians, a new variant of Svpeng had been targeting users in the United States and Europe. This new variant leveraged ransomware functionality to help its operators make money.

According to Group-IB, the Russian cybercriminals first started stealing money from their victims’ accounts by using SMS banking. The malware intercepted all SMS messages on the infected phone and then used SMS banking to send commands for money transfers. The Trojan intercepted the payment confirmation codes to ensure that the transfer could be completed without raising suspicion.

The cybercrooks later started using phishing websites to trick users into handing over their credit card details. The malware was designed to open a new window on top of the regular Google Play interface, instructing users to enter their payment card data. The attackers’ server used an algorithm to ensure that the provided data was valid.

Researchers said the attackers then started collecting online banking login credentials. The malware monitored users’ activities and replaced the legitimate application with a phishing page when a targeted banking app was launched. By having access to usernames, passwords, and verification SMS messages sent by the banks, the fraudsters could easily access victims’ accounts and steal their money.

The malware was distributed with the aid of SMS messages containing a fake download link for Adobe Flash Player, Group-IB said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...