November 7, 2016

A Mobile Banker Hit 318,000 Android Users via a Vulnerability in a Popular Browser

Kaspersky Lab experts recently discovered a modification of the mobile banking Trojan, Svpeng, hiding in Google's advertising network AdSense.

Woburn, MA – November 7, 2016 –Kaspersky Lab experts recently discovered a modification of the mobile banking Trojan, Svpeng, hiding in Google's advertising network AdSense. Since mid-July, Svpeng has been detected on the Android devices of around 318,000 users, with the rate of infection peaking at 37,000 victims in a day. The attackers, intent on stealing bank card information and personal data such as contacts and call history, were exploiting a bug in Google Chrome for Android.

The first known case of a Svpeng attack using the bug in Chrome for Android occurred in mid-July on an online Russian news outlet. During the attack, the Trojan silently downloaded itself onto the Android devices of the website’s visitors.

In unravelling the attack process, Kaspersky Lab researchers found that the campaign started with an infected advert being placed on Google AdSense. The advert displayed “normally” on uninfected webpages, with the Trojan only downloading when the user accessed the page via the Chrome browser on an Android device. Svpeng disguised itself as an important browser update or popular application, to convince the user to approve the installation. Once the malware was launched it disappeared from the list of installed apps and asked the user to give it device admin rights. This made the malware harder to detect.

It appeared that the attackers had found a way to bypass some key security features of Google Chrome for Android. Normally, when an Android Application Package (APK) file is downloaded on a mobile device via an external web link, the browser displays a warning that a potentially dangerous object is being downloaded. In this case, fraudsters found a security flaw that allowed APK files to be downloaded without notifying users. On discovering the bug, Kaspersky Lab immediately reported the issue to Google. The patch will be issued in the nearest Google Chrome for Android update.

“The Svpeng case confirms, yet again, the importance of cooperation between companies. We share a common goal to protect users from cyberattack, and it is vital that we work together to achieve this,” said Nikita Buchka, Malware analyst at Kaspersky Lab. “We are happy to help make the Android ecosystem safer, and would like to thank Google for its prompt response to our report. We also urge users to avoid downloading applications from untrusted sources and to be cautious when it comes to what permissions they are asked to give and why.” he added.

Kaspersky Lab advises customers to upgrade the Chrome for Android browser to the latest version, install an effective security solution and to be aware of the tools and techniques used by malware authors to trick them into installing malicious software and agreeing to far-reaching device rights.

The Svpeng mobile banking Trojan is designed to steal bank card information. It also collects call history, text and multimedia messages, browser bookmarks and contacts. Svpeng mainly attacks Russian-speaking countries, however it has the potential to spread globally. Due to the specific nature of the malware distribution, millions of webpages globally are at risk, with many of them using AdSense to display adverts.

Kaspersky Lab detects the modification of the malware as Trojan-Banker.AndroidOS.Svpeng.q

Read more information on the Svpeng on

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact:
Sarah Kitsos

Articles related to Press Releases