Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.

Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.

The existence of the Svpeng Trojan was first brought to light by Kaspersky in July 2013. Malicious actors have mainly used the malware to target Android users in Russia, but some campaigns were also aimed at devices in the United States and elsewhere.

Last year, authorities in Russia arrested the alleged creator of Svpeng and several other individuals suspected of using the Trojan. However, cybercriminals have continued to improve the malware since.

Svpeng has been known to include functionality for obtaining admin privileges, phishing payment card data, intercepting and sending SMS messages, launching ransomware attacks, and disabling mobile security solutions.

A new version of the Trojan spotted by Kaspersky Lab in August, which did not include any ransomware capabilities, had been delivered through popular news websites using Google’s AdSense advertising placement service.

Google took steps to address the issue, but not before hundreds of thousands of Android devices got infected with the malware. Kaspersky Lab detected roughly 318,000 infections over a two-month period, with the most recent attacks spotted on October 19.

The problem, according to Kaspersky, is that Google attempted to address the malvertising attacks by blocking the malicious ads on its AdSense network, instead of taking a more proactive approach. This has allowed the attackers to continue pushing ads to AdSense and infect a large number of devices.

Advertisement. Scroll to continue reading.

The campaign attracted Kaspersky’s attention partly because the malicious APK files served via ads were automatically downloaded to devices, without any warning to the victim. Researchers determined that the cybercriminals exploited a zero-day in the Android version of Chrome.

Chrome normally warns users when a potentially dangerous file is downloaded to their Android device and prompts them to confirm the action. However, the attackers bypassed this mechanism by breaking down the file into smaller pieces.

“When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user,” researchers explained.

Google has been informed about the issue and created a patch for the vulnerability. The fix will be included in the next Chrome for Android, which is version 55. Other browsers don’t appear to be affected by this flaw.

Kaspersky pointed out that the malware is not automatically installed on devices once it’s downloaded via the Chrome vulnerability. Instead, the attackers have given the malicious files names such as “WhatsApp.apk,” “last-browser-update.apk” or “Android_update_6.apk” in hopes of tricking users into installing the malware themselves.

Newer versions of Android, by default, prevent the installation of apps from unknown sources, but cybercriminals are likely counting on the fact that some users will disable this security feature to install certain apps that may not be available in Google Play.

The security firm also noted that the latest attacks were set up to infect only smartphones belonging to users in Russia and some former Soviet Union states.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.