Crooks distributing the Svpeng Android banking trojan have discovered a flaw in how Google Chrome for Android handles file downloads and have used it to forcibly and secretly download their malicious payload on the devices of over 318,000 users in the span of three months, starting with August 2016.

To deliver their payload, the Svpeng authors used malicious JavaScript that they packed inside Google AdSense ads delivered via Russian sites.

It is important to note that only Russian users have been targeted by this latest campaign, which thanks to researchers from Kaspersky Lab has been caught and stopped before spreading to other countries.

Svpeng activity
Svpeng auto-downloading campaign activity

Google Chrome bug leads to 318,000 downloads of Android banking trojan

To summarize a technical analysis released yesterday by Kaspersky, the crooks used a quirk in how Google Chrome for Android handles file downloads.

The Svpeng gang converted malicious APKs (Android app files) into an encrypted array of bytes, which they delivered as JavaScript via AdSense ads.

When the JavaScript code executed in the user's browser, a function mimicked a user tap on the ad, which started the APK download.

In normal circumstances, users would have been prompted if they want to download the APK to their mobile's SD card.

Svpeng's authors discovered that if they broke the APK file into smaller blocks of 1024 bytes, Google Chrome for Android would download each block without notifying the user, and reconstruct the malicious app on the SD card without the user's knowledge.

Over 38,000 auto-downloads during campaign peak

Kaspersky says that based on their telemetry data, the Svpeng trojan was disguised in APK files named as follows:

2GIS.apk
AndroidHDSpeedUp.apk
Android_3D_Accelerate.apk.
Android_update_6.apk
Asphalt_7_Heat.apk
CHEAT.apk
Chrome_update.apk
Cut_the_Rope_2.apk
DrugVokrug.apk
Google_Play.apk
Instagram.apk
Mobogenie.apk
Root_Uninstaller.apk
Skype.apk
SpeedBoosterAndr6.0.apk
Temple_Run.apk
Trial_Xtreme.apk
VKontakte.apk
Viber.apk
WEB-HD-VIDEO-Player.apk
WhatsApp.apk
last-browser-update.apk
minecraftPE.apk
new-android-browser.apk
Установка.apk

In total, the Russian security firm says it detected these illegal downloads in over 318,000 separate incidents, with a peak infection rate of over 38,000 auto-downloads in a day at the start of October.

Only Russian-speaking users targeted

Experts said that this auto-downloading behavior triggered only if the user's device used Russian as its main UI language. In August, sites known to have spread Svpeng via AdSense ads included the Russia Today (RT) and the Meduza news portals.

In the past, Svpeng has also targeted the US and other countries, and this recent campaign was most likely a test. Fortunately, Kaspersky Lab experts picked up on the crooks' tricks and alerted Google, who issued a Google Chrome for Android update that now prevents the auto-downloading behavior.

The Google Chrome bug only auto-downloaded the file, and the number of users infected with Svpeng is likely lower, since users still had to find and open the malicious APK files on their phones.

This is not the first case when Android malware has reached user phones via an auto-downloading malvertising attack. The Cyber.Police (or Dogspectus) Android ransomware used the Towelroot exploit delivered via malicious ads to download and install the ransomware on the devices of unsuspecting users.