More often than not, malware attacks start with conning unsuspecting users into visiting seemingly innocent, even helpful, websites or downloading software. Far more frightening, however, is malware that escapes early detection because it piggybacks on legitimate channels or apps. Such is the case with an Android Trojan reported by security company Kaspersky Lab Solutions called “Trojan-Banker.AndroidOS.Svpeng.q”, or Svpeng, for short. This particular malware, which attempts to intercept and steal banking information, is spreading on perfectly legit websites through Google’s own AdSense advertising network.
There are very few websites these days that don’t serve up some form of advertisement or another. It is an easy and convenient way to monetize the number of visitors to your website. Of the many ad networks competing in this rather aggressive space, Google’s AdSense is, of course, the most popular. Which also makes it the best target of such a kind of attack.
The Svpeng Trojan downloads itself immediately as soon as an infected ad is loaded, regardless of whether the user tapped on it or not. If the user doesn’t have the necessary third-party app protections enabled, Svpeng will be able to successfully install and remove itself from the list of installed apps. And to ensure that it won’t get uninstalled so easily, it will try to gain admin rights as well. Once it settles in, it will attempt to use phishing to steal users’ banking credentials. Alternatively, it also spies of SMS messages, in those cases when online banking requires authentication via text messages.
As Svpeng rides on AdSense, any website can become an unwilling accomplice to spreading the malware, and website owners have little recourse but hope Google patches things on its end. Users are also more susceptible to getting infected by simply visiting their favorite websites.
The good news is that the Svpeng malware strain is actually known to many anti-virus programs, like Kaspersky’s of course, so those can be identified and blocked. But even if you don’t have such a security program installed, simply disallowing the installation of apps from unverified sources goes a long way in protecting your Android device from attack.