The new Svpeng variant doesn't steal mobile banking credentials, but there are indications that this feature is being planned. The malware checks to see whether mobile banking apps from several U.S. financial institutions including American Express, Citibank, Chase Bank, Wells Fargo, Bank of America, TD Bank and BB&T are installed on the affected devices and uploads the scan results to its command-and-control server.
"The cybercriminals are probably just gathering statistics about the use of these apps on infected devices," Unuchek said. "Considering that Svpeng is, first and foremost, a banking Trojan, we can expect to see attacks on the clients of these banks who use mobile apps to manage their accounts."
Sign up for Computerworld eNewsletters.