Security experts are warning Android users of a well-known banking trojan which is being spread by the Google AdSense network, meaning users only need to visit a legitimate site to get infected.
Kaspersky Lab malware analysts Mikhail Kuzin and Nikita Buchka explained in a blog post yesterday that the Svpeng trojan was infecting visitors to a popular banking portal without the need to follow malicious links.
This isn’t the first example of such a campaign. The duo claimed that the Meduza news portal was forced to disable AdSense after unwittingly serving up an earlier version of the trojan to visitors.
“The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions,” they wrote. “After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it).”
The trojan is designed to steal bank card data via phishing windows and intercept, delete and send SMS messages in order to attack mobile banking systems that rely on texts to communicate information.
The malware has also been built to bypass mobile security tools, they said.
“In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts,” they added.
“Be careful and use antivirus solutions.”
Svpeng is well known to the research community, having first appeared as a standard trojan designed to steal from SMS banking accounts back in 2013.
Then a year later analysts saw it had been developed further to feature more sophisticated elements such as waiting until a victim opens a mobile banking app and then replacing it with its own in an attempt to steal their login and password.
The malware also came with a new ransomware element, which its authors decided to spin off into a separate threat.
It’s a screen blocking variant rather than a piece of crypto-ransomware, but this is normal for mobile ransomware because Android features limit unlimited access by third party apps to user data and because data is often backed-up to the cloud automatically, Kaspersky Lab said.
Malvertising is an increasingly common means for the black hats to get their wares onto victims’ machines.
In fact, malvertising-related blacklist incidents jumped 400% from 1H 2015 to the same period a year later to reach 1.7million, according to RiskIQ.
“The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has introduced sophisticated profiling capabilities which can be exploited by cyber criminals to precisely target specific populations of users,” explained ben Harknett, EMEA vice president at RiskIQ.
“The bottom line is that the RoI on malvertising is much higher than many other tactics.”