Malvertising campaign delivered Android Svpeng Trojan via a zero-day in Chrome

Kaspersky discovered a new strain of the Svpeng Trojan delivered through popular news websites using Google’s AdSense via a zero-day in Chrome.

Crooks exploited a Chrome Zero-Day vulnerability to deliver the Android Svpeng Trojan to Android users via Google AdSense.

The Svpeng Trojan is not a new threat, it was first spotted by Kaspersky Lab in July 2013 when threat actors in the wild targeted Android users, mostly in Russia and in the US.  some campaigns were also aimed at devices in the United States and elsewhere.

The malware was improved across the months and Kaspersky noticed in November 2013 that it was capable of phishing as well, trying to harvest the financial data of victims.

Last year, the Russian police with a help of Group-IB and Sberbank security service arrested Russian the creators of  the Svpeng Trojan and a group of accomplices. The group was targeting Android customers of a number of Russian banks.

Among the features implemented by the mobile malware there is the privilege escalation ability, intercepting and sending SMS messages, delivering ransomware, phishing payment card data, and disabling mobile security solutions.

News of the day is that Kaspersky Lab in August discovered a new strain of the Svpeng Trojan delivered through popular news websites using Google’s AdSense.

“In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites.” reported Kaspersky.

Unfortunately, when Kaspersky discovered the malvertising attack it estimated roughly 318,000 infections over a two-month period.

“As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. ” reads the analysis from Kaspersky.

The latest versions of Trojan-Banker.AndroidOS.Svpeng is limited to Russia and the CIS.

The company reported the incident to Google that developed a patch to fix the flaw in Google Chrome, the security update will become available to users the next time the browser is updated.

It is interesting to highlight that the malicious payload served via ads were automatically downloaded to Android mobile devices, without any warning to the victim. Researchers determined that the cybercriminals exploited a zero-day in the Android version of Chrome.

Chrome normally warns users when a potentially dangerous file is downloaded to their Android device and prompts them to confirm the download, but crooks bypassed this mechanism by breaking down the file into smaller pieces.

““When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user,” researchers explained.” continues Kaspersky.

Kaspersky pointed out that the Svpeng Trojan is not automatically installed on Android devices after the download via the Chrome zero-day vulnerability. The attackers used a social engineering technique in order to trick the victims into installing it. Experts observed the attackers using malicious files names such as “WhatsApp.apk,” “last-browser-update.apk” or “Android_update_6.apk” in the attempt of tricking users into installing them.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Android , Svpeng Trojan)

[adrotate banner=”13″]