Researchers have found a new variant of an old Trojan being silently delivered to Android devices via the Google...
AdSense network, but Google's protections should be keeping users safe.
New research from Kaspersky Lab identified a variant of the Svpeng mobile banking Trojan being delivered to Android devices without any user interaction necessary.
Mikhail Kuzin and Nikita Buchka, malware analysts for Kaspersky Lab, based in Moscow, described the finding in a blog post.
"There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required. It turns out the malicious program is downloaded via the Google AdSense advertising network ... anyone can register their ad on this network -- they just need to pay a fee. And it seems that didn't deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited."
The Svpeng banking Trojan was first discovered in mid-2014. Kuzin and Buchka wrote it "can steal information about the user's bank cards via phishing windows, [as well as] intercept, delete and send text messages," and it "collects an impressive amount of information from the user's phone -- the call history, text and multimedia messages, browser bookmarks and contacts."
Although the Trojan app is silently delivered to Android devices, it cannot perform any of these functions without being installed. This means a user would have to find the downloaded app, install it, turn off Android's standard protections against installing apps from unknown sources, and finally bypass Google's Verify Apps protections, which warn users when they are potentially installing malware.
Buchka described the deception techniques, but said Google's Android security measures have started blocking the AdSense malware.
"The malicious .apk was downloading without [a] user's actions. But the user had to give the permission on the installation. Fraudsters were using file names such as 'last-browser-update' [and] 'important-browser-update' to deceive the unsuspecting user and force him to install malicious .apk. The duped user allowed installation, thinking that it was a critical update," Buchka told SearchSecurity. "At the time of research, Google's Verify Apps protections [were] not detecting this application as potentially dangerous, but now Google's protection stops it."
Learn more about the results of Google's second Android Security Report.
Find out top tips for better Android security.
Get info on an Android banking Trojan that generates $500,000 per day.