A Trojan from Google ads

You can catch a Trojan even if you visit only legitimate websites. This post explains how it happens and what you should do to protect yourself.

A Trojan from Google ads

If you don’t go to suspicious sites, malware can’t get you — right? Well, no. Unfortunately, even those who do not open unreliable e-mail attachments, avoid porn sites, and do not install apps from unofficial stores are not well-enough protected.

New developments suggest that malware can be found even on an absolutely legitimate site, as 318,000 thousand Android users found out when their Android devices were attacked by the Svpeng.q banking Trojan from Google AdSense advertisements.

Google AdSense is the biggest ad network in the world, so a lot of criminals dream about finding a way to use the network to spread their malicious programs worldwide. The creators of Svpeng.q managed to do it.

Banners posted by criminals launched automatic downloads of the Svpeng.q installation package with the help of a obfuscated script. Usually, Chrome browser warns users when a potentially dangerous file is downloaded, so the criminals used a special function to make device download the Trojan in parts, so it managed to slip unnoticed.

The script was set up to act only when it was launched on devices with a touch screen and only on the Chrome browser. That’s how criminals narrowed the target audience to users of Android tablets and smartphones — because Svpeng.q Trojan was written for Android.

You can read more about Svpeng.q in the detailed report published on Securelist. Long story short, it’s not that different from other banking Trojans; its main function is to overlay interfaces of mobile banks with fake ones, copy credit card data, and send the data to criminals. They in turn use it to steal victims’ money.

We reported our findings to Google, and developers made a patch that fixed the hole in Google Chrome that let the Trojan bypass security notification.

It’s noteworthy that if you download Svpeng, you won’t get infected immediately. You need to install it, and so the Trojan does its best to deceive: For example, the installation file may have a name like Android_update_6.apk or Instagram.apk, among others. This tactic seems to work well for cybercriminals.

How to protect yourself from Trojans hiding in ads

Even legitimate sites can unwittingly put you at risk. To protect yourself, follow these guidelines:

1. Never open files if you are not sure how they got to your device. Just because a file is called android_update.apk doesn’t mean that it contains a system update. You can find out if the system has a legitimate update by checking Device Information under Settings.

2. Don’t allow the installation of apps from third-party stores. Every Android gadget includes this setting. That way, even if you mistakenly approve installation of such a pseudo-update, the system will stop it.

3. Install real updates as they become available. In addition, update Google Chrome on all of your Android devices as soon as it’s possible. Updating is quick, and it could save you time, hassle, and even money.

4. Use antivirus protection on all devices. In cases like this one, a real-time security solution can protect the user — unlike an on-demand antivirus scanner, which must be launched manually. Svpeng knows how to “kill” the processes of popular security solutions, so the scanners just won’t launch. On the contrary, the paid version of Kaspersky Antivirus & Security for Android detects Svpeng as Trojan.Banker.Androidos.Svpeng.Q — and blocks it easily.