A recent article from American Banker discusses the first major security threat to hit U.S. mobile banking users.
On June 11, Kaspersky Lab discovered a type of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware, which targets Android devices, looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.
However, as of now there have been no reported victims of this malware in the U.S. since it was discovered. Security experts are also divided as to the seriousness of the threat.
Avivah Litan, vice president of Gartner, says “This is troubling. Banks cannot cleanse their customers’ smartphones and have no control over this type of Trojan. All they can control is customer interactions with their bank applications. Even securing mobile bank applications and strengthening authentication processes for mobile users won’t stop this type of Trojan from operating.”
Svpeng breaks into a mobile device through a social engineering campaign using text messages. “Once the device is infected, it’s almost impossible to get it out,” says Dmitry Bestuzhev, head of global research and analysis team in Latin America for Kaspersky Lab.
Once it’s wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T and Regions Bank.
It then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone’s front camera.
For now, Svpeng does not steal mobile or online banking credentials. But it is only a matter of time before it does, according to Kaspersky Lab researchers. The Trojan also contains code that could be used for file encryption; it could, therefore, encrypt files stored on the mobile device and demand money to unencrypt them.
Customers who fall victim to Svpeng can do almost nothing, says Roman Unuchek, senior malware analyst at Kaspersky Lab.
The key to protect yourself from threats such as Svpeng is to have the proper anti-malware protection installed on your mobile device.
“It is impossible to repel an attack of American Svpeng if a mobile device doesn’t have a security solution — the malware will block the device completely,” says Unuchek. “If I were a bank CIO, I would make sure that customers have proper mobile security in place.”