Nearly 3,18,000 Android users hacked via Google’s AdSense vulnerability

Kaspersky Lab, an international cybersecurity and anti-virus provider headquartered in Moscow and operated by a holding company in the United Kingdom, on Tuesday said that it has discovered a modification of the mobile banking Trojan, Svpeng hiding in Google's advertising network AdSense.

"Since mid-July, Svpeng has been detected on the Android devices of around 318,000 users, with the rate of infection peaking at 37,000 victims in a day. The attackers, intent on stealing bank card information and personal data such as contacts and call history, were exploiting a bug in Google Chrome for Android," Kaspersky Lab said in a statement adding that the bug was fixed by Google.

The first known case of a Svpeng attack using the bug in Chrome for Android occurred in mid-July on an online Russian news outlet, the anti-virus provider said adding that the Trojan silently downloaded itself onto the Android devices of the website's visitors.

The spread started from an infected advert being placed on Google AdSense. The advert displayed "normally" on uninfected webpages, with the Trojan only downloading when the user accessed the page via the Chrome browser on an Android device.

"Svpeng disguised itself as an important browser update or popular application, to convince the user to approve the installation. Once the malware was launched it disappeared from the list of installed apps and asked the user to give it device admin rights. This made the malware harder to detect," Kaspersky explained adding that the attackers had found a way to bypass some key security features of Google Chrome for Android.

Under normal circumstances, when an APK file is downloaded on a mobile device via an external web link, the browser displays a warning that a potentially dangerous object is being downloaded. In this case, fraudsters found a security flaw that allowed APK files to be downloaded without notifying users. On discovering the bug, Kaspersky Lab immediately reported the issue to Google.

The patch will be issued in the nearest Google Chrome for Android update, the company said.

"The Svpeng case confirms, yet again, the importance of cooperation between companies. We share a common goal to protect users from cyberattack, and it is vital that we work together to achieve this. We are happy to help make the Android ecosystem safer, and would like to thank Google for its prompt response to our report. We also urge users to avoid downloading applications from untrusted sources and to be cautious when it comes to what permissions they are asked to give and why," Nikita Buchka, malware analyst at Kaspersky Lab, advised.

The Svpeng mobile banking Trojan is designed to steal bank card information. It also collects call history, text and multimedia messages, browser bookmarks and contacts. Svpeng mainly attacks Russian-speaking countries, however it has the potential to spread globally. Due to the specific nature of the malware distribution, millions of webpages globally are at risk, with many of them using AdSense to display adverts.