Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.

Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.

The existence of the Svpeng Trojan was first brought to light by Kaspersky in July 2013. Malicious actors have mainly used the malware to target Android users in Russia, but some campaigns were also aimed at devices in the United States and elsewhere.

Last year, authorities in Russia arrested the alleged creator of Svpeng and several other individuals suspected of using the Trojan. However, cybercriminals have continued to improve the malware since.

Svpeng has been known to include functionality for obtaining admin privileges, phishing payment card data, intercepting and sending SMS messages, launching ransomware attacks, and disabling mobile security solutions.

A new version of the Trojan spotted by Kaspersky Lab in August, which did not include any ransomware capabilities, had been delivered through popular news websites using Google’s AdSense advertising placement service.

Google took steps to address the issue, but not before hundreds of thousands of Android devices got infected with the malware. Kaspersky Lab detected roughly 318,000 infections over a two-month period, with the most recent attacks spotted on October 19.

The problem, according to Kaspersky, is that Google attempted to address the malvertising attacks by blocking the malicious ads on its AdSense network, instead of taking a more proactive approach. This has allowed the attackers to continue pushing ads to AdSense and infect a large number of devices.

The campaign attracted Kaspersky’s attention partly because the malicious APK files served via ads were automatically downloaded to devices, without any warning to the victim. Researchers determined that the cybercriminals exploited a zero-day in the Android version of Chrome.

Advertisement. Scroll to continue reading.

Chrome normally warns users when a potentially dangerous file is downloaded to their Android device and prompts them to confirm the action. However, the attackers bypassed this mechanism by breaking down the file into smaller pieces.

“When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user,” researchers explained.

Google has been informed about the issue and created a patch for the vulnerability. The fix will be included in the next Chrome for Android, which is version 55. Other browsers don’t appear to be affected by this flaw.

Kaspersky pointed out that the malware is not automatically installed on devices once it’s downloaded via the Chrome vulnerability. Instead, the attackers have given the malicious files names such as “WhatsApp.apk,” “last-browser-update.apk” or “Android_update_6.apk” in hopes of tricking users into installing the malware themselves.

Newer versions of Android, by default, prevent the installation of apps from unknown sources, but cybercriminals are likely counting on the fact that some users will disable this security feature to install certain apps that may not be available in Google Play.

The security firm also noted that the latest attacks were set up to infect only smartphones belonging to users in Russia and some former Soviet Union states.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.