{"id":6528,"date":"2016-11-10T11:41:48","date_gmt":"2016-11-10T16:41:48","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=6528"},"modified":"2017-09-24T20:10:11","modified_gmt":"2017-09-24T14:40:11","slug":"a-trojan-from-google-ads","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/a-trojan-from-google-ads\/6528\/","title":{"rendered":"A Trojan from Google ads"},"content":{"rendered":"<p>If you don\u2019t go to suspicious sites, malware can\u2019t get you \u2014 right? Well, no. Unfortunately, even those who do not open unreliable e-mail attachments, avoid porn sites, and do not install apps from unofficial stores are not well-enough protected.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2016\/11\/05085903\/svpeng-ads-featured-1-1024x672.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-13424\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2016\/11\/05085903\/svpeng-ads-featured-1-1024x672.jpg\" alt=\"A Trojan from Google ads\" width=\"1280\" height=\"840\"><\/a><\/p>\n<p>New developments suggest that malware can be found even on an absolutely legitimate site, as <a href=\"https:\/\/securelist.com\/blog\/research\/76286\/disassembling-a-mobile-trojan-attack\/\" target=\"_blank\" rel=\"noopener\">318,000 thousand Android users<\/a> found out when their Android devices were attacked by the Svpeng.q banking Trojan from Google AdSense advertisements.<\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/AdSense\" target=\"_blank\" rel=\"noopener nofollow\">Google AdSense<\/a> is the biggest ad network in the world, so a <em>lot<\/em> of criminals dream about finding a way to use the network to spread their malicious programs worldwide. The creators of Svpeng.q managed to do it.<\/p>\n<p>Banners posted by criminals launched automatic downloads of the Svpeng.q installation package with the help of a obfuscated script. Usually, Chrome browser warns users when a potentially dangerous file is downloaded, so the criminals used a special function to make device download the Trojan in parts, so it managed to slip unnoticed.<\/p>\n<p>The script was set up to act only when it was launched on devices with a touch screen and only on the Chrome browser. That\u2019s how criminals narrowed the target audience to users of Android tablets and smartphones \u2014 because Svpeng.q Trojan was written for Android.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Disassembling a <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#banking<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Trojan?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Trojan<\/a> attack \u2013 <a href=\"https:\/\/t.co\/plcDumMXlu\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/plcDumMXlu<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/BCgAiGSp22\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/BCgAiGSp22<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/795666479471587328?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 7, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"embed\"><\/div>\n<p>You can read more about Svpeng.q in the <a href=\"https:\/\/securelist.com\/blog\/incidents\/75731\/good-morning-android\/\" target=\"_blank\" rel=\"noopener\">detailed report<\/a> published on Securelist. Long story short, it\u2019s not that different from other banking Trojans; its main function is to overlay interfaces of mobile banks with fake ones, copy credit card data, and send the data to criminals. They in turn use it to steal victims\u2019 money.<\/p>\n<p>We reported our findings to Google, and developers made a patch that fixed the hole in Google Chrome that let the Trojan bypass security notification.<\/p>\n<p>It\u2019s noteworthy that if you download Svpeng, you won\u2019t get infected immediately. You need to install it, and so the Trojan does its best to deceive: For example, the installation file may have a name like Android_update_6.apk or Instagram.apk, among others. This tactic seems to work well for cybercriminals.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Malvertising?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Malvertising<\/a> is an ambiguous term referring to malicious online ads, fraudulent &amp; legal alike. Learn more! <a href=\"http:\/\/t.co\/atD0f6ygtJ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/atD0f6ygtJ<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/507906133533929472?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 5, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<div class=\"embed\"><\/div>\n<h3>How to protect yourself from Trojans hiding in ads<\/h3>\n<p>Even legitimate sites can unwittingly put you at risk. To protect yourself, follow these guidelines:<\/p>\n<p>1. Never open files if you are not sure how they got to your device. Just because a file is called android_update.apk doesn\u2019t mean that it contains a system update. You can find out if the system has a legitimate update by checking Device Information under Settings.<\/p>\n<p>2. Don\u2019t allow the installation of apps from third-party stores. Every Android gadget includes this setting. That way, even if you mistakenly approve installation of such a pseudo-update, the system will stop it.<\/p>\n<p>3. Install <em>real<\/em> updates as they become available. In addition, update Google Chrome on all of your Android devices as soon as it\u2019s possible. Updating is quick, and it could save you time, hassle, and even money.<\/p>\n<p>4. Use antivirus protection on all devices. In cases like this one, a real-time security solution can protect the user \u2014 unlike an on-demand antivirus scanner, which must be launched manually. Svpeng knows how to \u201ckill\u201d the processes of popular security solutions, so the scanners just won\u2019t launch. On the contrary, the paid version of <a href=\"https:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=ww_kdaily\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Antivirus &amp; Security for Android<\/a> detects Svpeng as Trojan.Banker.Androidos.Svpeng.Q \u2014 and blocks it easily.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you don\u2019t go to suspicious sites, malware can\u2019t get you \u2014 right? Well, no. Unfortunately, even those who do not open unreliable e-mail attachments, avoid porn sites, and do<\/p>\n","protected":false},"author":696,"featured_media":6529,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2196],"tags":[1190,708,1121,675,527],"class_list":{"0":"post-6528","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-advertising","10":"tag-banking-trojans","11":"tag-finance","12":"tag-svpeng","13":"tag-threats"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/a-trojan-from-google-ads\/6528\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/advertising\/","name":"advertising"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=6528"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6528\/revisions"}],"predecessor-version":[{"id":7649,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6528\/revisions\/7649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/6529"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=6528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=6528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=6528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}