Bug in Chrome for mobile exploited for drive-by Android malware downloads
Users of the mobile version of Google Chrome should be extra careful when faced with unsolicited offers to install a popular app, Kaspersky Lab researchers warn.
Cyber crooks pushing the Svpeng Android banking Trojan are taking advantage of a bug that allows them to force the download of the malware on the target’s Android device without any user interaction, and other malware peddlers might soon hop on that particular train.
How the attack unfolds
The Svpeng-pushers have been using AdSense to deliver the malware: they created malicious ads that include Javascript code, which contains the malicious APK file (broken down into blocks) and saves it to the target’s device.
“When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file,” the researchers explained.
“When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user.”
This trick works only on Google Chrome.
Also, it’s good to note that the malware is downloaded automatically, but the user still has to install it. In order to facilitate this last step, the crooks make it look like a number of popular apps and important updates (Instagram, VKontakte, Skype, WhatsApp, Chrome update, etc.).
“In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an ‘important browser update’ or a newer version of a popular app that is already on their phone,” the researchers noted.
What now?
Google has been notified of the attacks as they happened (throughout 2016, and the latest one on October 19), and has quickly reacted by blocking the ads, but still too late to prevent thousands of Android devices from automatically downloading the malware.
Such a reaction is definitely not enough, and according to the researchers, Google has already worked out a patch for the issue, and it will be included in the next update for Chrome for Android.
For now, it seems that no other group has picked up this particular trick, so only smartphones with a Russian-language interface are currently targeted (Svpeng targets only users from Russia and CIS countries).
But until Google pushes out the patch, switching to another mobile browser might be a solution. Another one is even simpler: don’t install and run apps that you yourself haven’t downloaded.