Vulnerabilities in Google Chrome allow Svpeng Trojan to compromise over 318,000 Android devices

The old Svpeng Trojan has been renewed and was used to infect over 318,000 Android users thanks to a vulnerability in Android’s Chrome browser. This Trojan is made to steal private information from victim’s device, such as bank card details, read and send out private messages, and carry out other illegal activities. Reports show that the mobile banking Trojan reached nearly 37,000 victims per day, which is a strikingly large number, to say at least. What is worse is that Chrome users might need to wait about three weeks until the vulnerability in Chrome for Android gets fixed. Although the gigantic company has acknowledged the problem and stopped the flow of malware-laden ads, the vulnerability in the mobile browser is still open and needs to be patched. Sadly, Android users might have to wait for this until December, when the next browser update appears. In the meantime, users should take all necessary precautions to protect their devices from this mobile Trojan.

It seems that the banking Trojan horse only attacks smart devices with the Russian-language interface, most likely those that are owned by Russian residents and those living in CIS countries. Svpeng Trojan first exploited Chrome’s flaw in mid-July via online Russian news outlet. It appears that fraudsters have injected malware-laden ads to Google AdSense, and as a result, these were displayed on legitimate and virus-free websites. These malicious ads showed up for users who accessed such sites via Chrome on Android device, saying that the device has been compromised already and that the user needs to install anti-malware tool to make the device safe again. If the user accepted the offer to install this tool, Svpeng Trojan was installed on the mobile right away. However, eventually actors behind Svpeng banking Trojan have found a way to bypass some Chrome’s security features and push the Trojan to the user without displaying any pop-ups or alerts.

The JavaScript-coded malicious program no longer needs to ask user’s permission to be installed – it downloads a .apk file automatically because of codes within the malware-laden ad counterfeit user’s click on the ad. The Android virus enters the system without user’s authorization thanks to a special function that breaks the APK file into pieces that are handed over to a save function via Blob() class, and unfortunately, Chrome doesn’t check what kind of content is being saved on the device. The malicious .apk file can hide under sham names such as WhatsApp.apk, last-browser-update.apk, Android_update_6.apk and similar. If the victim opens such file, malware gets installed and disappears from the list of installed applications. This way, it becomes hardly detectable, which naturally makes it harder to remove.

It is a well-known fact that Android devices and applications that can be installed on them are quite pervious to mobile malware attacks. To protect your device from malevolent virus variants such as Svpeng, Android virus or Android ransomware, update all applications frequently and install a reliable anti-malware software compatible with your Android device.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions