Researchers at Kaspersky Labs detailed the malware, called Svpeng, this week. It comes with an extensive feature set that can be used to obtain administrator access to Android devices. Once downloaded, it removes itself from the list of installed apps and then gains root privileges. This makes it very difficult to remove and harder for antivirus software to detect.
With the first phase complete, the app begins to steal sensitive user data including call histories, browser bookmarks and contacts. It also can intercept, send and delete text messages, although this isn’t the main purpose of the Trojan. It’s really after bank card details which it obtains through phishing window pop-ups. The SMS access is required to circumvent banking systems that use SMS to communicate messages.
Svpeng is especially dangerous because of how it travels. Most malware is limited in scope and unlikely to infect users who have antivirus software installed and only get apps from Google Play. Svpeng has the potential to infect any typical Android device owner because it has hijacked Google’s AdSense advertising network.
AdSense is one of the most popular ad networks around, powering the advertisements displayed on millions of websites. AdSense is used by some of the biggest publishers in the world to make money from their content but it isn’t restricted to news sites. From individual blogs to niche forums and gaming sites, the ad network is incredibly widespread online.
This is an advantage for Svpeng. Its creators have built a malicious ad that downloads the Trojan as soon as it is loaded on an Android device. They’ve then submitted the ad to AdSense and ended up getting it approved, leaving it free to propagate across the Internet. As soon as an Android user visits a page where it’s displayed, the Svpeng malware will infect their device.
Kaspersky described the attack as a “gratuitous act of violence” against Android users. Its ability to infect unsuspecting device owners who are simply browsing the web makes Svpeng a major threat. No additional clicks or link follows are required after the webpage that includes the ad is loaded. There’s no way to tell in advance whether a page will display the ad or which websites are likely to be affected.
There is some relief from the malware, however. The Svpeng family of Trojans is already known to most antivirus software and should be detected when it is downloaded. While this doesn’t help people who don’t use Android antivirus apps, those who do should be protected as long as the antivirus provider detects Svpeng before it gets itself fully installed.
Google is yet to respond to the blatant breach of its AdSense terms and conditions and the malicious ad remains live on the network. The incident will be embarrassing for Google which prides itself on safe ads. Svpeng adds fuel to the arguments of ad block users, many of whom use the software because of the risks of malicious ads.
