Researchers discovered a campaign that delivers a malicious banking Trojan to Android devices using Google AdSense advertisements. The campaign, discovered by Kaspersky Lab researchers, delivers the Svpeng Android banking Trojan.
The campaign was launched by the criminal group that developed the Svpeng Trojan and Android users are infected with the malware when they visit mainstream websites, wrote Kaspersky Lab malware analysts Nikita Buchka and Mikhail Kuzin in a SecureList blog post.
The analysts refer to the campaign as “a gratuitous act of violence against Android users.” The payload is delivered to Android devices without requiring users to click on the malicious advertisements.
Cybercriminals “are turning the ad networks into incredibly efficient malware delivery vehicles,” wrote Michael Covington, VP of Product, Wandera. Malware is incorporated into the ad networks “without actually breaking into the distribution sites directly.”
Malvertising campaigns such as these continue “to plague businesses and consumers,” wrote Carbon Black co-founder and chief security strategist Ben Johnson, in an email to SCMagazine.com. Targeting Android devices can yield “access to millions (potentially billions) of devices to exploit,” Johnson wrote. “The downside for attackers is that each carrier often has different versions of the operating system and there are many different versions of Android. Exploits are often pretty specific to the version of the operating system they provide.”
Svpeng was initially discovered by Kaspersky in July 2013 as a Trojan for the theft of payment card information from Russian bank customers. A ransomware version of the malware was discovered a year later in the U.S.