November 8, 2016
A vulnerability in Chrome for Android is actively being exploited in the wild that allows hackers to quietly download banking trojan apps (.apk) onto victim’s’ device without their confirmation.
You might have encountered a pop-up advertisement that appears out of nowhere and surprise you that your mobile device has been infected with a dangerous virus and instructs you to install a security app to remove it immediately.
This malicious advertising web page automatically downloads an Android app installation (.apk) file to your device without requiring any approval.
Citing malware threats on your mobile device, attackers trick you to change your device’s settings to allow installation of the third-party apps from stores other than Google Play Store and install the banking trojan app on your device.
Kaspersky researchers Mikhail Kuzin and Nikita Buchka discovered one such widespread malicious advertising campaign across Russian news sites and popular websites.
Since this August, the Trojan has infected over 318,000 Android devices across the world — thanks to Google AdSense advertisements that was being abused to spread malicious mobile banking trojan, dubbed Svpeng.
“When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user,” the duo explains in a blog post.
Google has acknowledged the issue, blocked the malicious ads and planned to patch it, although it is unclear when the next Android Chrome version will be released.