The mobile banking trojan Svpeng continues to infect Android devices through malvertising campaigns delivered via the Google AdSense network. But at least experts at Kaspersky Lab now understand how the malicious APK has been able to automatically download itself while bypassing Google Chrome browser permissions.
According to Kaspersky via its Securelist blog, Google has developed a patch in response, but it will not take hold until the next official browser update.
Normally, a suspicious mobile program would trigger a Chrome alert screen that asks the user for permission to download the software, Kaspersky Lab explained in its blog. However, Svpeng's authors programmed the JavaScript malware to download in small, encrypted blocks of 1024 bytes, delivered in piecemeal fashion to the device.
The individual blocks are able to bypass Google Chrome's security measures; consequently the device owner never receives a notification. Once all of the disassembled code has been transferred over, Svpeng rebuilds itself on the device's SD card. This technique does not work on other browsers, Kaspersky noted.
The malware is automatically downloaded in the first place because the malicious code within the ad message emulates a click on the ad as if the user did it himself.
“When this method was used, Chrome's download manager did not perform a check on the file type of saved content,” explained Nikita Buchka, Kaspersky Lab malware analyst, in an email interview with SC Media.
According to a Google spokesperson, the fix is "currently being tested in Chrome 54 and will be live 100 percent in Chrome 55." Additionally, the spokesperson noted that Google's Verify Apps tool, when enabled, provides warnings for Svpeng downloads, even if Chrome doesn't. And while the company doesn't have precise numbers, "the installs are much lower than the figures reported by Kaspersky."
Meanwhile, Google has taken measures to block the ads responsible for spreading the Trojan, noted Kaspersky. Nevertheless, the security company has observed multiple spikes in Svpeng activity of late, detecting infections in 318,000 users over a three-month period starting in August. Attacks peaked in early October, during which time there were as many as roughly 37,000 in one day. Indeed, the malicious ads “can be shown to a huge amount of users in a short span of time,” said Buchka.
Svpeng is designed to steal bank card information via phishing windows; intercept, delete and send text messages; and collect user phone data. Currently, the malware only impacts devices with a Russian-language interface. “However, next time [the culprits] push their ‘adverts' on AdSense they may well choose to attack users in other countries,” warned the Kaspersky blog post.
