Over 318000 Android Users Affected by Auto-Downloading Malvertising Attack - BleepingComputer

Crooks distributing the Svpeng Android banking trojan have discovered a flaw in how Google Chrome for Android handles file downloads and have used it to forcibly and secretly download their malicious payload on the devices of over 318,000 users in the span of three months, starting with August 2016.To deliver their payload, the Svpeng authors used malicious JavaScript that they packed inside Google AdSense ads delivered via Russian sites.It is important to note that only Russian users have been targeted by this latest campaign, which thanks to researchers from Kaspersky Lab has been caught and stopped before spreading to other countries. Svpeng auto-downloading campaign activity Google Chrome bug leads to 318,000 downloads of Android banking trojanTo summarize a technical analysis released yesterday by Kaspersky, the crooks used a quirk in how Google Chrome for Android handles file downloads.The Svpeng gang converted malicious APKs (Android app files) into an encrypted array of bytes, which they delivered as JavaScript via AdSense ads.When the JavaScript code executed in the user's browser, a function mimicked a user tap on the ad, which started the APK download.In normal circumstances, users would have been prompted if they want to download the APK to their mobile's SD card.Svpeng's authors discovered that if they broke the APK file into smaller blocks of 1024 bytes, Google Chrome for Android would download each block without notifying the user, and reconstruct the malicious app on the SD card without the user's knowledge.Over 38,000 auto-downloads during campaign peakKaspersky says that based on their telemetry data, the Svpeng trojan was disguised in APK files named as follows:2GIS.apk AndroidHDSpeedUp.apk Android_3D_Accelerate.apk. Android_update_6.apk Asphalt_7_Heat.apk CHEAT.apk Chrome_update.apk Cut_the_Rope_2.apk DrugVokrug.apk Google_Play.apk Instagram.apk Mobogenie.apk Root_Uninstaller.apk Skype.apk SpeedBoosterAndr6.0.apk Temple_Run.apk Trial_Xtreme.apk VKontakte.apk Viber.apk WEB-HD-VIDEO-Player.apk WhatsApp.apk last-browser-update.apk minecraftPE.apk new-android-browser.apk Установка.apkIn total, the Russian security firm says it detected these illegal downloads in over 318,000 separate incidents, with a peak infection rate of over 38,000 auto-downloads in a day at the start of October.Only Russian-speaking users targetedExperts said that this auto-downloading behavior triggered only if the user's device used Russian as its main UI language. In August, sites known to have spread Svpeng via AdSense ads included the Russia Today (RT) and the Meduza news portals.In the past, Svpeng has also targeted the US and other countries, and this recent campaign was most likely a test. Fortunately, Kaspersky Lab experts picked up on the crooks' tricks and alerted Google, who issued a Google Chrome for Android update that now prevents the auto-downloading behavior.The Google Chrome bug only auto-downloaded the file, and the number of users infected with Svpeng is likely lower, since users still had to find and open the malicious APK files on their phones.This is not the first case when Android malware has reached user phones via an auto-downloading malvertising attack. The Cyber.Police (or Dogspectus) Android ransomware used the Towelroot exploit delivered via malicious ads to download and install the ransomware on the devices of unsuspecting users.