Svpeng¶
Svpeng is one of the earliest Android banking trojans, first discovered by Kaspersky in 2013 targeting Russian banking customers. Over its lifecycle, Svpeng evolved from a simple SMS-based credential stealer into a full banking trojan with overlay attacks, keylogging, and ransomware capabilities. It pioneered several techniques that became standard in later Android malware: using Device Admin to lock the screen for ransom, exploiting accessibility services for keylogging, and abusing USSD codes for direct fund transfers. Svpeng's codebase influenced DoubleLocker, the first Android ransomware to combine Device Admin screen locking with file encryption.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2013 |
| Status | Inactive (succeeded by derivatives) |
| Type | Banking trojan, ransomware |
| Aliases | Trojan-Banker.AndroidOS.Svpeng |
| Attribution | Russian-speaking actors |
| Distribution | SMS phishing, drive-by download, malvertising |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | Trojan-Banker.AndroidOS.Svpeng |
| ESET | Android/Spy.Banker.AEC, Android/Locker.Svpeng |
| McAfee | Android/Svpeng |
| Trend Micro | AndroidOS_Svpeng |
Origin and Lineage¶
Kaspersky first documented Svpeng in mid-2013, identifying it as a banking trojan targeting customers of Russia's Sberbank and other major Russian financial institutions. The initial version used SMS-based attacks: it sent USSD codes and SMS commands to banking shortcodes to initiate transfers from the victim's account, exploiting the SMS-based banking services widely used in Russia at the time.
By 2014, Kaspersky documented a major evolution: Svpeng had added Device Admin abuse and ransomware capability. The trojan would lock the device screen displaying a fake FBI or police warning and demand a $200-500 ransom. This made Svpeng one of the first Android malware families to combine banking fraud with ransomware in a single package.
In 2016-2017, Kaspersky identified further evolution with Svpeng gaining accessibility service abuse for keylogging and phishing overlay attacks, moving beyond its SMS-based roots to match the capabilities of contemporary banking trojans like BankBot and Marcher.
DoubleLocker¶
DoubleLocker, documented by ESET in October 2017, was built on Svpeng's banking overlay codebase. It became the first Android ransomware to combine Device Admin screen lock manipulation with AES file encryption. DoubleLocker changed the device PIN and encrypted files on external storage, demanding 0.0130 BTC for recovery.
Distribution¶
| Period | Vector | Details |
|---|---|---|
| 2013-2014 | SMS phishing | SMS messages impersonating Russian banks with links to malicious APKs |
| 2016 | Malvertising | Google AdSense ads on legitimate websites triggered automatic APK downloads in Chrome for Android |
| 2016-2017 | Drive-by download | Exploited Chrome vulnerability to download APK without user consent |
The 2016 malvertising campaign was notable: Kaspersky documented that visiting any website displaying Google AdSense ads could trigger an automatic Svpeng download in Chrome for Android. Google patched the Chrome vulnerability in December 2016. At its peak, Svpeng was detected approximately 318,000 times over a two-month period, averaging 37,000 attacks per day.
Capabilities¶
Evolution of Features¶
| Period | Capabilities |
|---|---|
| 2013 | SMS-based banking fraud via USSD codes and SMS commands to bank shortcodes |
| 2014 | Added Device Admin screen lock, ransomware (fake police warning), anti-uninstall |
| 2016 | Added accessibility service keylogging, phishing overlays, Chrome exploit distribution |
| 2017 | Full banking trojan with overlays, keylogging, SMS interception, screen lock ransomware |
Core Features (Final Version)¶
| Capability | Implementation |
|---|---|
| Overlay attacks | Phishing overlays triggered when target banking apps open |
| Keylogging | Accessibility service captures all text input across apps |
| SMS interception | Reads and redirects SMS for OTP theft |
| Screen lock ransomware | Device Admin changes PIN and displays ransom demand |
| Anti-uninstall | Prevents removal by blocking Settings access via accessibility |
| Self-defense | Fights removal by revoking Device Admin attempts |
Technical Details¶
Accessibility Service Abuse¶
Kaspersky's 2017 analysis documented Svpeng's accessibility service implementation:
- Captures all text typed on the device via
TYPE_VIEW_TEXT_CHANGEDevents - Overlays phishing windows on top of banking apps detected through
TYPE_WINDOW_STATE_CHANGED - Blocks attempts to open Settings or disable Device Admin by detecting navigation events and closing the screen
- Auto-grants itself permissions through UI interaction
Device Admin Abuse¶
Svpeng was among the earliest families to abuse Device Admin for both persistence and ransomware. Once granted Device Admin, it could change the screen lock PIN, making the device inaccessible. If the user attempted to revoke admin privileges, Svpeng intercepted the action and closed the Device Admin settings screen.
Chrome Drive-By Download¶
The 2016 distribution vector exploited a Chrome for Android behavior that allowed JavaScript in an ad iframe to trigger a file download without user interaction. When an advertising network served the malicious ad, Chrome silently downloaded the Svpeng APK to the device's Downloads folder. A notification then appeared informing the user of the "completed download," social-engineering them into installing it.
Target Regions¶
| Period | Primary Targets |
|---|---|
| 2013-2015 | Russia (Sberbank, VTB24, Gazprombank) |
| 2016 | Russia, Germany, Turkey, Poland, France |
| 2017 | Global expansion across 27 countries |
Svpeng originally targeted Russian banking users exclusively, exploiting SMS-based banking services specific to Russian financial institutions. The 2016 malvertising campaigns expanded targeting to European markets, and the accessibility-based overlay attacks enabled targeting of any banking app regardless of region.
Notable Campaigns¶
2013: Kaspersky identifies Svpeng targeting Sberbank and other Russian banks via SMS-based fund transfers using USSD codes.
2014: Svpeng adds ransomware functionality, displaying fake FBI/police warnings and demanding $200-500. Becomes one of the first Android families to combine banking fraud and ransomware.
2016: Svpeng exploits Chrome vulnerability for drive-by download distribution through Google AdSense ads. 318,000 detections over two months, peaking at 37,000 attacks per day. Google patches Chrome in December 2016.
October 2017: ESET publishes DoubleLocker analysis, documenting the Svpeng derivative that became the first Android ransomware to combine PIN change with file encryption.
Related Families¶
Svpeng's primary legacy is through DoubleLocker, which built on its codebase to create more sophisticated ransomware. In the broader Android banking trojan timeline, Svpeng (2013) was contemporary with BankBot (2014) and Marcher (2013), forming the first generation of Android overlay banking trojans. Later families like Anubis, Cerberus, and Hydra inherited techniques that Svpeng helped pioneer, particularly accessibility-based keylogging and Device Admin abuse.