Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Google to patch Chrome mobile hole after bank trojan hits 318k users

Flaw allowing ads to offer dodgy apps won't be fixed for about three weeks

An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser.

The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval.

Users need to install the banking trojan apps and tweak settings to allow installation of apps from stores other than Google Playto be infected; however, attackers increased the likelihood of compromise by using the titles of popular Android apps such as Skype, MinecraftPE, and WhatsApp.

Kaspersky researchers Mikhail Kuzin and Nikita Buchka found the flaw last month in a wide-spread campaign across Russian news sites and web properties.

Some 37,000 users at the campaign's peak received the malicious .apk files.

While it is unknown when the next Android Chrome version will be released, Google usually sticks to a six week release cycle. If Google sticks to that timeline, a new edition of the browser should land before December 3rd, 2016.

This offers attackers a touch over three weeks to ramp what what Kuzin and Buchka say are likely attacks through AdSense against the rest of the world.

The same attack group has been upgrading and spreading its Svpeng trojan since 2013, including changing its victim base in 2014 to target users in the United States.

The pair acknowledge Google's plan to patch but say its efforts to date to block attacks have been ineffective.

"Google has been quick to block the ads that the trojan uses for propagation; however, this is a reactive rather than a proactive approach [since] the malicious ads were blocked after the trojan was already on thousands of Android devices," the pair say.

"It is also worth noting that there were multiple occasions in the past two months when these ads found their way onto AdSense.

"[The] next time they push their adverts on AdSense they (criminals) may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"

The attacks fail on all other browsers and would do so on Android Chrome if it were not for some clever file manipulation.

Downloaded files are broken into pieces and passed to the save function via blob() class which lacks the security integrity checks of the conventional download method. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like