Criminal hackers are distributing the Svpeng Android Banking Trojan via a security vulnerability in the Google Chrome browser.
The Svpeng Android Trojan Is Distributed via Google Chrome
The Svpengg Android banking Trojan is a malware threat that uses a security flaw in the Google Chrome browser to infect Android devices. The exact vulnerability is related to the way the browser handles file downloads.
According to security reports Svpeng has infected over 318 000 users since August 2016. The criminal developers of the virus used a malicious Javascript code that is inserted inside a Google AdSense advertisement that targets primarily Russian sites.
To this date the attack campaign has been used to target Russian and Russian-speaking users which may mean that the operators are operating from a Russian-speaking country.
The virus is delivered in an infected APK package. The usual behavior of the Google Chrome browser is to ask the user if they want to download it to the SD card of the user device.
The developers of the authors have used a tactic that breaks the file into blocks of 1024 bytes. The web browser downloads each block without notifying them and reconstructs the malicious app on the SD card without alerting the user.
Svpeng uses a variety of aliases to disguise itself including the following:
- 2GIS.apk
- AndroidHDSpeedUp.apk
- Android_3D_Accelerate.apk.
- Android_update_6.apk
- Asphalt_7_Heat.apk
- CHEAT.apk
- Chrome_update.apk
- Cut_the_Rope_2.apk
- DrugVokrug.apk
- Google_Play.apk
- Instagram.apk
- Mobogenie.apk
- Root_Uninstaller.apk
- Skype.apk
- SpeedBoosterAndr6.0.apk
- Temple_Run.apk
- Trial_Xtreme.apk
- VKontakte.apk
- Viber.apk
- WEB-HD-VIDEO-Player.apk
- WhatsApp.apk
- last-browser-update.apk
- minecraftPE.apk
- new-android-browser.apk
- Установка.apk
The peak infection rate that was detected was 38 000 downloads for a single day.
The Prior Svpeng Infections
The Svpeng banking Trojan is known to security researchers as there are some notable attack campaigns that have happened before. The current wave of attacks are carried out by triggers that check if the user’s device uses Russian as its main user interface language. This is a measure that selectively chooses which victims to target.
Some of the reported sites that spread Svpeng through malicious ad networks include Russia Today (RT) and the popular Meduza news portals. The virus has appeared in the contents of these sites via the AdSense engine that they run.
In the past the spyware has also targeted other countries including the USA. Some experts state that this wave is probably a test that the developers are using to see how effective large campaigns can be.
Fortunately the attacks have stopped as experts from Kaspersky Labs alerted Google of Svpeng’s recent appearance. An immediate update was issue which fixes the software vulnerability.