Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.
The existence of the Svpeng Trojan was first brought to light by Kaspersky in July 2013. Malicious actors have mainly used the malware to target Android users in Russia, but some campaigns were also aimed at devices in the United States and elsewhere.
Last year, authorities in Russia arrested the alleged creator of Svpeng and several other individuals suspected of using the Trojan. However, cybercriminals have continued to improve the malware since.
Svpeng has been known to include functionality for obtaining admin privileges, phishing payment card data, intercepting and sending SMS messages, launching ransomware attacks, and disabling mobile security solutions.
A new version of the Trojan spotted by Kaspersky Lab in August, which did not include any ransomware capabilities, had been delivered through popular news websites using Google’s AdSense advertising placement service.
Google took steps to address the issue, but not before hundreds of thousands of Android devices got infected with the malware. Kaspersky Lab detected roughly 318,000 infections over a two-month period, with the most recent attacks spotted on October 19.
The problem, according to Kaspersky, is that Google attempted to address the malvertising attacks by blocking the malicious ads on its AdSense network, instead of taking a more proactive approach. This has allowed the attackers to continue pushing ads to AdSense and infect a large number of devices.
The campaign attracted Kaspersky’s attention partly because the malicious APK files served via ads were automatically downloaded to devices, without any warning to the victim. Researchers determined that the cybercriminals exploited a zero-day in the Android version of Chrome.
Chrome normally warns users when a potentially dangerous file is downloaded to their Android device and prompts them to confirm the action. However, the attackers bypassed this mechanism by breaking down the file into smaller pieces.
“When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user,” researchers explained.
Google has been informed about the issue and created a patch for the vulnerability. The fix will be included in the next Chrome for Android, which is version 55. Other browsers don’t appear to be affected by this flaw.
Kaspersky pointed out that the malware is not automatically installed on devices once it’s downloaded via the Chrome vulnerability. Instead, the attackers have given the malicious files names such as “WhatsApp.apk,” “last-browser-update.apk” or “Android_update_6.apk” in hopes of tricking users into installing the malware themselves.
Newer versions of Android, by default, prevent the installation of apps from unknown sources, but cybercriminals are likely counting on the fact that some users will disable this security feature to install certain apps that may not be available in Google Play.
The security firm also noted that the latest attacks were set up to infect only smartphones belonging to users in Russia and some former Soviet Union states.