Banking Trojans usually look for and exploit unidentified or
overlooked vulnerabilities in web browsers. That’s because web browsers let
these trojans infect a larger number of devices by expanding their exposure
across the globe. The same has happened in this particular case where an 
Android banking Trojan codenamed
as Svpeng used Chrome browser’s vulnerability to infect more than 300,000
devices by uploading malicious applications without the knowledge or
confirmation of the users.
This malware campaign kicked off by placement of an infected adware on Google AdSense. According to security experts, the Trojan has
infected such a vast number of devices within just two months. This means it
managed to attack 37,000 computers per day.
The Trojan was
first discovered in August
. It has been learned that the malware
lets the hackers steal bank card data and personal data including contacts and
calls history. The hackers were also able to send, delete and intercept text
messages sent by the user.
Nikita Buchka and Anton
Kivva, two of the Kaspersky
Lab researchers’ team
worked on this Trojan, confirmed that Google has been informed about this
vulnerability and the company is working on a patch to fix the issue. Most
probably, Google will be releasing this patch in the upcoming update for Chrome
Buchka and Kivva stated
“Google has been quick to
block the ads that the Trojan uses for propagation. However, this is a reactive
rather than a proactive approach – the malicious ads were blocked after the
Trojan was already in thousands of Android devices.
It is also worth noting that there were multiple occasions in the past two
months when these ads found their way on to AdSense; similar attacks have been
occurring up to the present time, with the most recent attack registered on 19
October 2016.”
As per the findings of Kaspersky Lab researchers, the malware
appears to be an important update for Chrome or a famous app so that the users
are tricked into installing it on their devices. When installed, the malware
asks for administrative privileges and then suddenly it vanishes from the
installed applications’ list. The researchers noted that:
“In all other browsers,
this method either does not work, or the user is asked if they want to save the
file or not. The method described above only works in Google Chrome for
“Of course, just
downloading the Trojan is not enough for it to work; the user also has to
install it. To ensure this, the attackers resort to social engineering. In the
latest versions of Android, installation of apps downloaded from unknown
sources is blocked by default, but the cybercriminals are obviously counting on
users disabling this setting to install an “important browser update” or a
newer version of a popular app that is already on their phone.”
As of now, the main
targets of perpetrators of this malware campaign are smartphones having Russian
language interface but researchers believe that Android users from other
countries will soon be targeted.

“So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their
“adverts” on AdSense they may well choose to attack users in other countries;
we have seen similar cases in the past. After all, what could be more
convenient than exploiting the most popular advertising platform to download
their malicious creations to hundreds of thousands of mobile devices?”
Therefore, security experts have urged that users must install the
latest version of Google Chrome browser.

via Blogger