Banking Trojans usually look for and exploit unidentified or overlooked vulnerabilities in web browsers. That’s because web browsers let these trojans infect a larger number of devices by expanding their exposure across the globe. The same has happened in this particular case where an Android banking Trojan codenamed as Svpeng used Chrome browser’s vulnerability to infect more than 300,000 devices by uploading malicious applications without the knowledge or confirmation of the users.
This malware campaign kicked off by placement of an infected adware on Google AdSense. According to security experts, the Trojan has infected such a vast number of devices within just two months. This means it managed to attack 37,000 computers per day.
The Trojan was first discovered in August. It has been learned that the malware lets the hackers steal bank card data and personal data including contacts and calls history. The hackers were also able to send, delete and intercept text messages sent by the user.
Nikita Buchka and Anton Kivva, two of the Kaspersky Lab researchers’ team who worked on this Trojan, confirmed that Google has been informed about this vulnerability and the company is working on a patch to fix the issue. Most probably, Google will be releasing this patch in the upcoming update for Chrome browser.
Buchka and Kivva stated that:
“Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already in thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 19 October 2016.”
As per the findings of Kaspersky Lab researchers, the malware appears to be an important update for Chrome or a famous app so that the users are tricked into installing it on their devices. When installed, the malware asks for administrative privileges and then suddenly it vanishes from the installed applications’ list. The researchers noted that:
“In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. The method described above only works in Google Chrome for Android.”
“Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone.”
As of now, the main targets of perpetrators of this malware campaign are smartphones having Russian language interface but researchers believe that Android users from other countries will soon be targeted.
“So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?”
Therefore, security experts have urged that users must install the latest version of Google Chrome browser.