Tech giant Google has officially taken down an operation that combined malicious advertisements from AdSense with a zero-day exploit on Chrome for Android which forces mobile devices to download a malware used for banking fraud.
During its run which spanned more than two months, the operation was able to download the Bank.AndroidOS.Svpeng on more than 318,000 devices running on the Android platform. According to International Business Times, the exploit was able to infect more than 37,000 devices during its peak operation. The devices were monitored by the Moscow-based antivirus provider Kaspersky Lab which reported on the exploit in a blog post shared on Monday.
Kaspersky Lab noted that while the malicious installation files were not automatically executed once it infects a device, they carry names like last-browser-update.apk and WhatsApp.apk which were designed to trick targeted devices into manually installing them.
Kaspersky Lab said that it privately reported the operation to Google. In response, the tech giant worked out a patch to fix the loopholes. The Russian firm said Google had detected and removed that malicious ads that distribute the malicious installation files. However, the firm added that after they were detected and removed, new ones managed to surface and took their place.
In a statement acquired by Ars Technica, Kaspersky Lab researchers said, "The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation."
Kaspersky Lab also noted that the exploit only targeted Android devices that are based in Russia. Moreover, the firm added that once the perpetrators try to expand their operation on Google AdSense, they could be able to target any country that they choose.
Google said that the patch to fix the auto-download vulnerability is being tested on Chrome version 54. The company expects the full patch to be 100 percent ready by version 55.