Security News Google to patch Chrome mobile hole after bank trojan hits 318k users

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Flaw allowing ads to offer dodgy apps won't be fixed for about three weeks
An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser.

The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval.


Users need to install the banking trojan apps and tweak settings to allow installation of apps from stores other than Google Playto be infected; however, attackers increased the likelihood of compromise by using the titles of popular Android apps such as Skype, MinecraftPE, and WhatsApp.

Kaspersky researchers Mikhail Kuzin and Nikita Buchka found the flaw last month in a wide-spread campaign across Russian news sites and web properties.

Some 37,000 users at the campaign's peak received the malicious .apk files.

While it is unknown when the next Android Chrome version will be released, Google usually sticks to a six week release cycle. If Google sticks to that timeline, a new edition of the browser should land before December 3rd, 2016.

This offers attackers a touch over three weeks to ramp what what Kuzin and Buchka say are likely attacks through AdSense against the rest of the world.

The same attack group has been upgrading and spreading its Svpeng trojan since 2013, including changing its victim base in 2014 to target users in the United States.

The pair acknowledge Google's plan to patch but say its efforts to date to block attacks have been ineffective.

"Google has been quick to block the ads that the trojan uses for propagation; however, this is a reactive rather than a proactive approach [since] the malicious ads were blocked after the trojan was already on thousands of Android devices," the pair say.

"It is also worth noting that there were multiple occasions in the past two months when these ads found their way onto AdSense.

"[The] next time they push their adverts on AdSense they (criminals) may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"

The attacks fail on all other browsers and would do so on Android Chrome if it were not for some clever file manipulation.

Downloaded files are broken into pieces and passed to the save function via blob() class which lacks the security integrity checks of the conventional download method. ®
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Flaw allowing ads to offer dodgy apps won't be fixed for about three weeks
When Karma strikes back...

As you can imagine, Microsoft engineers were not happy about Google's decision at all. In a statementpublished the next day, Terry Myerson, Microsoft Executive Vice President of the Windows and Devices Group, said that despite Google's rules, the search giant should have known that developing, testing, and releasing patches for ten-years-worth of Windows releases isn't a job that can be rushed.
From Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch

Worrying share, bad news for the Android users yet. Thank you @Solarquest!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top