An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser.
The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval.
Users need to install the banking trojan apps and tweak settings to allow installation of apps from stores other than Google Playto be infected; however, attackers increased the likelihood of compromise by using the titles of popular Android apps such as Skype, MinecraftPE, and WhatsApp.
Kaspersky researchers Mikhail Kuzin and Nikita Buchka found the flaw last month in a wide-spread campaign across Russian news sites and web properties.
Some 37,000 users at the campaign's peak received the malicious .apk files.
While it is unknown when the next Android Chrome version will be released, Google usually sticks to a six week release cycle. If Google sticks to that timeline, a new edition of the browser should land before December 3rd, 2016.
This offers attackers a touch over three weeks to ramp what what Kuzin and Buchka say are likely attacks through AdSense against the rest of the world.
The same attack group has been upgrading and spreading its Svpeng trojan since 2013, including changing its victim base in 2014 to target users in the United States.
The pair acknowledge Google's plan to patch but say its efforts to date to block attacks have been ineffective.
"Google has been quick to block the ads that the trojan uses for propagation; however, this is a reactive rather than a proactive approach [since] the malicious ads were blocked after the trojan was already on thousands of Android devices," the pair say.
"It is also worth noting that there were multiple occasions in the past two months when these ads found their way onto AdSense.
"[The] next time they push their adverts on AdSense they (criminals) may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"
The attacks fail on all other browsers and would do so on Android Chrome if it were not for some clever file manipulation.
Downloaded files are broken into pieces and passed to the save function via blob() class which lacks the security integrity checks of the conventional download method. ®