Kaspersky Lab experts recently discovered a modification of the mobile banking Trojan, Svpeng hiding in Google’s advertising network AdSense. In the space of just two months Svpeng was detected on the Android devices of around 330,000 users, with the rate of infection peaking at 26,000 victims in a day. The attackers, intent on stealing bank card information and personal data such as contacts and call history, were exploiting a bug in Google Chrome for Android. Now that Google has fixed the bug, Kaspersky Lab experts can reveal the full details of the attack.
The first known case of a Svpeng attack occurred in mid-July on an online Russian news outlet. During the attack, the Trojan silently downloaded itself onto the Android devices of the website’s visitors. In unravelling the attack process, Kaspersky Lab researchers found that the campaign started with an infected advert being placed on Google AdSense. The advert displayed “normally” on uninfected webpages, with the Trojan only downloading when the user accessed the page via the Chrome browser on an Android device.
Svpeng disguised itself as an important browser update or popular application, to convince the user to approve the installation. Once the malware was launched it disappeared from the list of installed apps and asked the user to give it device admin rights. This made the malware harder to detect. It appeared that the attackers had found a way to bypass some key security features of Google Chrome for Android.
Normally, when an APK file is downloaded on a mobile device via an external web link, the browser displays a warning that a potentially dangerous object is being downloaded. In this case, fraudsters found a security flaw that allowed APK files to be downloaded without notifying users. On discovering the bug, Kaspersky Lab immediately reported the issue to Google. The patch will be issued in the nearest Google Chrome for Android update.
“The Svpeng case confirms, yet again, the importance of cooperation between companies. We share a common goal to protect users from cyberattack, and it is vital that we work together to achieve this. Users can also help by not downloading applications from untrusted sources and thinking about what permissions they are asked to give and why,” said Nikita Buchka, Malware analyst at Kaspersky Lab.
The Svpeng mobile banking Trojan is designed to steal bank card information. It also collects call history, text and multimedia messages, browser bookmarks and contacts. Svpeng mainly attacks Russian-speaking countries; however it has the potential to spread globally. Due to the specific nature of the malware distribution, millions of webpages globally are at risk, with many of them using AdSense to display adverts.