Svpeng - A New Mobile Banking Security Threat

From American Banker:

Until last week, no major security event had directly threatened U.S. mobile banking users. Last week Kaspersky Lab discovered that a breed of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware, which targets Android devices, looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.
The malware has been discovered in the U.S. and the U.K., with a new behavior pattern. In the U.S., Svpeng breaks into a mobile device through a social engineering campaign using text messages. "Once the device is infected, it's almost impossible to get it out," says Dmitry Bestuzhev, head of global research and analysis team in Latin America for Kaspersky Lab.
Once it's wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T and Regions Bank for now. It then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone's front camera.
Currently, Svpeng does not steal mobile or online banking credentials. But it is only a matter of time before it does, according to Kaspersky Lab researchers. The Trojan also contains code that could be used for file encryption; it could, therefore, encrypt files stored on the mobile device and demand money to unencrypt them. In time, Svpeng may start gathering mobile banking app credentials, which would give it a path to steal money from users' accounts, Inscoe says. Customers who fall victim to Svpeng can do almost nothing, says Roman Unuchek, senior malware analyst at Kaspersky Lab."The only hope for unlocking the device is if it was already rooted before it was infected, then it could be unlocked without deleting the data," he says. If the phone wasn't rooted, the customer might put it in safe mode and erase all data on the phone only, while SIM and SD cards stay untouched and uninfected. "It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution — the malware will block the device completely," says Unuchek.

What can you do to help protect your Mobile Device?
  • Password protect your phone. The fact that you have to type in a password to use your phone is a small trade-off for the security it provides if your phone is lost or stolen.
  • Consider a Find Your Phone tool. Some software and apps make it easy to find your phone if you lose it, and make it easy for anyone who finds it to connect with you. Some programs, also offer the option of locking and wiping your phone remotely if necessary.
  • Don't allow automatic connections. Some smartphones are set up to automatically connect with available Wi-Fi networks and Bluetooth devices. Disabling this option will prevent your phone from connecting and transmitting data without your knowledge.
  • Be suspicious of e-mails, text messages and social media interactions from strangers. If you don’t know who’s contacting you, don’t click on any links and don’t respond.
  • Change your password often. None of us like to try to remember new passwords, but in today’s world it’s a necessity. As with your computer, make sure your password is strong, containing upper and lower cases, numbers and other characters.
  • Always log out completely when you finish a mobile banking session.
If you ever have reason to believe your Mobile Banking has been compromised, contact us at once, toll-free, at 1-877-838-2517.