Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Chrome exploit allows Svpeng trojan to bypass security measure; patch reportedly coming

The mobile banking trojan Svpeng continues to infect Android devices through malvertising campaigns delivered via the Google AdSense network. But at least experts at Kaspersky Lab now understand how the malicious APK has been able to automatically download itself while bypassing Google Chrome browser permissions.

According to Kaspersky via its Securelist blog, Google has developed a patch in response, but it will not take hold until the next official browser update.

Normally, a suspicious mobile program would trigger a Chrome alert screen that asks the user for permission to download the software, Kaspersky Lab explained in its blog. However, Svpeng's authors programmed the JavaScript malware to download in small, encrypted blocks of 1024 bytes, delivered in piecemeal fashion to the device.

The individual blocks are able to bypass Google Chrome's security measures; consequently the device owner never receives a notification. Once all of the disassembled code has been transferred over, Svpeng rebuilds itself on the device's SD card. This technique does not work on other browsers, Kaspersky noted.

The malware is automatically downloaded in the first place because the malicious code within the ad message emulates a click on the ad as if the user did it himself.

“When this method was used, Chrome's download manager did not perform a check on the file type of saved content,” explained Nikita Buchka, Kaspersky Lab malware analyst, in an email interview with SC Media.

According to a Google spokesperson, the fix is "currently being tested in Chrome 54 and will be live 100 percent in Chrome 55." Additionally, the spokesperson noted that Google's Verify Apps tool, when enabled, provides warnings for Svpeng downloads, even if Chrome doesn't. And while the company doesn't have precise numbers, "the installs are much lower than the figures reported by Kaspersky."

Meanwhile, Google has taken measures to block the ads responsible for spreading the Trojan, noted Kaspersky. Nevertheless, the security company has observed multiple spikes in Svpeng activity of late, detecting infections in 318,000 users over a three-month period starting in August. Attacks peaked in early October, during which time there were as many as roughly 37,000 in one day. Indeed, the malicious ads “can be shown to a huge amount of users in a short span of time,” said Buchka.

Svpeng is designed to steal bank card information via phishing windows; intercept, delete and send text messages; and collect user phone data. Currently, the malware only impacts devices with a Russian-language interface. “However, next time [the culprits] push their ‘adverts' on AdSense they may well choose to attack users in other countries,” warned the Kaspersky blog post.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.