The mobile banking Trojan Svpeng continues to infect Android devices through malvertising campaigns delivered via the Google AdSense network. But at least experts at Kaspersky Lab now understand how the malicious APK has been able to automatically download itself while bypassing Google Chrome browser permissions.
The individual blocks are able to bypass Google Chrome's security measures; consequently the device owner never receives a notification. Once all of the disassembled code has been transferred over, Svpeng rebuilds itself on the device's SD card. This technique does not work on other browsers, Kaspersky noted.
The malware is automatically downloaded in the first place because the malicious code within the ad message emulates a click on the ad as if the user did it himself.
“When this method was used, Chrome's download manager did not perform a check on the file type of saved content,” explained Nikita Buchka, Kaspersky Lab malware analyst, in an email interview with SC Media.
According to a Google spokesperson, the fix is "currently being tested in Chrome 54 and will be live 100 percent in Chrome 55." Additionally, the spokesperson noted that Google's Verify Apps tool, when enabled, provides warnings for Svpeng downloads, even if Chrome doesn't. And while the company doesn't have precise numbers, "the installs are much lower than the figures reported by Kaspersky."
Meanwhile, Google has taken measures to block the ads responsible for spreading the Trojan, noted Kaspersky. Nevertheless, the security company has observed multiple spikes in Svpeng activity of late, detecting infections in 318,000 users over a three-month period starting in August. Attacks peaked in early October, during which time there were as many as roughly 37,000 in one day. Indeed, the malicious ads “can be shown to a huge amount of users in a short span of time,” said Buchka.
Svpeng is designed to steal bank card information via phishing windows; intercept, delete and send text messages; and collect user phone data. Currently, the malware only impacts devices with a Russian-language interface. “However, next time [the culprits] push their ‘adverts' on AdSense they may well choose to attack users in other countries,” warned the Kaspersky blog post.