Incidents

Good morning Android!

Table of Contents

This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!

1

Download of a malicious application while viewing a news site using AdSense

It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.

A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.

Good morning Android!

Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)

The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.

Good morning Android!

In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.

Be careful and use antivirus solutions!

On August 15, a Meduza representative reported that their problem with AdSense had been resolved and the news site was no longer infected.

Good morning Android!

Comment

Your email address will not be published. Required fields are marked *

 

Cancel

  1. dpeters11

    Does this not require the option to install from unknown sources to be enabled? Google doesn’t detect this through Verify Apps?

    Does it leverage a particular vulnerability that has been fixed in a certain version or monthly update?

    1. Michael

      My thoughts exactly. *Delivering* a malicious APK is one thing, but it can’t do anything bad if it isn’t installed, and that’s a much more difficult process to execute.

  2. Daniel W

    Not all Android builds supports “Verify Apps” and in those that do, users may turn it off for a number of reasons. Given the “last-browser-update” name, the crooks are likely just dumping an .apk on the device in the hope that the user is sufficiently curious or ignorant to manually install it. It stands to reason that users who would install found software of unknown provenance are more likely to allow sideloading. So, the particular vulnerability leveraged is most likely human gullibility, for which fixes are really hard, making it a popular choice among thieves.

  3. Jim Birch

    Does sideloading get a Darwin award?

    Maybe the sideloading enable switch should require people to click an I am an idiot checkbox.

Reports

APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

Subscribe to our weekly e-mails

The hottest research right in your inbox