Incidents

Good morning Android!

Table of Contents

This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!

1

Download of a malicious application while viewing a news site using AdSense

It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.

A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.

Good morning Android!

Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)

The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.

Good morning Android!

In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.

Be careful and use antivirus solutions!

On August 15, a Meduza representative reported that their problem with AdSense had been resolved and the news site was no longer infected.

Good morning Android!

Your email address will not be published. Required fields are marked *

 

  1. dpeters11

    Does this not require the option to install from unknown sources to be enabled? Google doesn’t detect this through Verify Apps?

    Does it leverage a particular vulnerability that has been fixed in a certain version or monthly update?

    1. Michael

      My thoughts exactly. *Delivering* a malicious APK is one thing, but it can’t do anything bad if it isn’t installed, and that’s a much more difficult process to execute.

  2. Daniel W

    Not all Android builds supports “Verify Apps” and in those that do, users may turn it off for a number of reasons. Given the “last-browser-update” name, the crooks are likely just dumping an .apk on the device in the hope that the user is sufficiently curious or ignorant to manually install it. It stands to reason that users who would install found software of unknown provenance are more likely to allow sideloading. So, the particular vulnerability leveraged is most likely human gullibility, for which fixes are really hard, making it a popular choice among thieves.

  3. Jim Birch

    Does sideloading get a Darwin award?

    Maybe the sideloading enable switch should require people to click an I am an idiot checkbox.

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox