An android banking Trojan exploiting vulnerability in the Chrome browser has been uncovered by security researchers. The banking trojan, dubbed Svpeng, allows hackers to surreptitiously upload malicious apps onto victims' devices, without their knowledge and/or confirmation. The malware campaign began with hackers placing an infected adware on Google AdSense.
Researchers found that the android Trojan had infected over 300,000 devices in the span of just two months, with the rate of infection peaking to 37,000 victims in a day. Svpeng, which was first discovered in August, allowed hackers the ability to steal bank card data and personal data such as call history and contacts. Additionally, the malware also allowed cybercrooks to send, delete and intercept text messages.
Kaspersky Lab researchers Nikita Buchka and Anton Kivva confirmed that Google had been notified of the issue and it quickly issued out a patch to fix the vulnerability in Google Chrome. The patch is slated to become available to Android users in the next browser update.
"Google has been quick to block the ads that the Trojan uses for propagation," the duo said. "However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 19 October 2016."
The researchers also uncovered that the malware disguised itself as either an important browser update or a popular app, in efforts to trick users into installing it. Upon installation, the malware prompts victims to provide it with administrative privileges and disappears from the list of installed apps.
The researchers added, "In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. The method described above only works in Google Chrome for Android.
"Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an "important browser update" or a newer version of a popular app that is already on their phone," they said.
The threat actors operating the malware appear to be currently only targeting smartphones with a Russian language interface. However, Kaspersky Lab researchers caution that the hackers could soon also begin targeting Android users in other countries.
"So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their "adverts" on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"
It is highly recommended that Android users ensure that their Google Chrome browser is operating in the latest updated version.