Crooks distributing the Svpeng Android banking trojan have discovered a flaw in how Google Chrome for Android handles file downloads and have used it to forcibly and secretly download their malicious payload on the devices of over 318,000 users in the span of three months, starting with August 2016.
It is important to note that only Russian users have been targeted by this latest campaign, which thanks to researchers from Kaspersky Lab has been caught and stopped before spreading to other countries.
To summarize a technical analysis released yesterday by Kaspersky, the crooks used a quirk in how Google Chrome for Android handles file downloads.
In normal circumstances, users would have been prompted if they want to download the APK to their mobile's SD card.
Svpeng's authors discovered that if they broke the APK file into smaller blocks of 1024 bytes, Google Chrome for Android would download each block without notifying the user, and reconstruct the malicious app on the SD card without the user's knowledge.
Kaspersky says that based on their telemetry data, the Svpeng trojan was disguised in APK files named as follows:
2GIS.apk AndroidHDSpeedUp.apk Android_3D_Accelerate.apk. Android_update_6.apk Asphalt_7_Heat.apk CHEAT.apk Chrome_update.apk Cut_the_Rope_2.apk DrugVokrug.apk Google_Play.apk Instagram.apk Mobogenie.apk Root_Uninstaller.apk Skype.apk SpeedBoosterAndr6.0.apk Temple_Run.apk Trial_Xtreme.apk VKontakte.apk Viber.apk WEB-HD-VIDEO-Player.apk WhatsApp.apk last-browser-update.apk minecraftPE.apk new-android-browser.apk Установка.apk
In total, the Russian security firm says it detected these illegal downloads in over 318,000 separate incidents, with a peak infection rate of over 38,000 auto-downloads in a day at the start of October.
Experts said that this auto-downloading behavior triggered only if the user's device used Russian as its main UI language. In August, sites known to have spread Svpeng via AdSense ads included the Russia Today (RT) and the Meduza news portals.
In the past, Svpeng has also targeted the US and other countries, and this recent campaign was most likely a test. Fortunately, Kaspersky Lab experts picked up on the crooks' tricks and alerted Google, who issued a Google Chrome for Android update that now prevents the auto-downloading behavior.
The Google Chrome bug only auto-downloaded the file, and the number of users infected with Svpeng is likely lower, since users still had to find and open the malicious APK files on their phones.
This is not the first case when Android malware has reached user phones via an auto-downloading malvertising attack. The Cyber.Police (or Dogspectus) Android ransomware used the Towelroot exploit delivered via malicious ads to download and install the ransomware on the devices of unsuspecting users.