back to article Google AdSense abused to distribute Android spyware

A banking trojan targeting Android users is spreading through malicious ads as part of an ongoing campaign. The scenario by which the malware spreads is all too familiar to long-suffering Windows fans, but may well come as an unpleasant shock to smartphone users. Worse yet, Android users can get infected by the Svpeng Trojan …

  1. Mr.Bill

    no additional clicks

    Its both in the security companies and news sites best interests to pick up on these non-stories. "no additional clicks" - right, maybe to download it. There are always multiple clicks and warnings to be able to install it.

    1. Charles 9 Silver badge

      Re: no additional clicks

      Maybe it really IS a "silent install" trojan, which could then use that other exploit mentioned last week or so to elevate to root and wreak havoc.

      Do we have an indications this is a silent install?

      1. DougS Silver badge

        Re: no additional clicks

        There have been silent install bugs, some in the recent past. Even if they are fixed in the latest version of Android, how many phones are out there which don't have it and never will? There doesn't seem to be any information that says whether this malware uses a silent install, but if it doesn't that doesn't mean someone else won't. Combine a few pieces together from different malware and get your "ads" widely distributed and you could root 50 million phones in a weekend! The best thing about this for malware authors is that it is like the Windows XP days all over again, when you could expect that the holes will remain open in a majority of phones for a long time.

        1. Anonymous Coward
          Anonymous Coward

          Re: no additional clicks

          Silent install bug cite please.

          Never happened, regardless of what apple may have told you.

          1. DougS Silver badge

            @AC

            Here's just one, I'll leave it to you to do your own research to find others:

            http://www.cso.com.au/article/598637/malvertising-attack-silently-infects-old-android-devices-ransomware/

            1. Charles 9 Silver badge

              Re: @AC

              So you see, put this (or another Towelroot-like exploit, a KNOWN silent install) together with Quadrooter (many phones out there use Qualcomm SoC) and you've got a very dangerous situation here, especially since the bulk of the vulnerable devices out there are EoL and made by companies out of the reach of any law enforcement who cares.

          2. Anonymous Coward
            Anonymous Coward

            Re: Never happened, regardless of what apple may have told you.

            HIding your posting history because....?

      2. FF22

        Re: no additional clicks

        The screenshot provided makes it obvious that this is not a silent install, but one that requires user interaction to actually run on the phone - if it's allowed at all. It's also doubtful that it has been really distributed through AdSense as a drive-by download, without actually requiring a click on an AdSense ad.

      3. This post has been deleted by its author

      4. big_D Silver badge

        Re: no additional clicks

        If it was a silent install, then the story should mention which exploit it uses to get around the standard settings of only installing from approved sources (Google Play Store) or signed files.

        If it is getting around the standard security, then the article should state this, as this would be a real problem. If it requires the user to turn off the safety features to install the .apk (which they would normally have to do), then it is a bit of a non-story, but the article should warn that users who have deliberately disabled the standard policy to install an app from an unknown source should turn the setting back on afterwards...

  2. Mark 85 Silver badge
    Holmes

    The AdSense Network.... and some people wonder why there's adblockers, exclusion lists in HOSTS lists, and No-Script programs... at least in the Windows world.

    I don't know if the smartphones "permit" these (HOSTS I think is pretty much Windows turf) but... still, the more tools to block, the better, IMO.

    1. FF22

      You realize that ads can only infect your computer the same way any web page can, and that if you block ads, malware can still get onto your computer for ex. through the very same page the you blocked the ads on, don't you? You probably also realize that ad server are generally far more secure than Average Joe's webpage, and that because of this, your chances of getting infected by ads are miniscule compared to getting infected by the web page the ads are run on (or any other web page for that matter), don't you?

      Your ad blocker protects you from no malware. But it definitely harms small publishers and kills the free and independent internet.

      1. Ropewash
        Thumb Down

        @FF22

        http://www.theregister.co.uk/2016/08/03/malvertising_surge/

        https://blog.malwarebytes.org/threat-analysis/2016/05/cbs-affiliated-television-stations-expose-visitors-to-angler-exploit-kit/

        http://www.theregister.co.uk/2016/05/10/pop_prince_perezhilton_pwned_pours_cryptxxx/

        Yeah. No need for ad/script blocking at all. Nope.

        Won't someone think of the poor poor small publishers who are too fucking lazy to vet the ad companies that get linked through their site? Without the ability to remotely infect your computers and destroy your data they can't make ends meet. <sob> <sob>

        On another note...

        ...I thought ad-sense WAS android spyware.

        1. Ropewash

          yep, I just responded to myself.

          Too late to edit the last post...

          Here's a guy who's sites I would have no issues visiting. I quote from one of our own here without permission or indeed concern.

          >>"If the website operators (and the advertisers) are so concerned about ads being blocked, why don't they just buffer up the ads at the website server and deliver them as part of the main page?"

          Started doing that at least 10 years ago - Ads are small and I limit the number of them to keep them non-invasive. They are from direct advertisers who contact me about advertising on my sites. First I check out the company. If I accept it, they produce a graphic and email it to me, I check it and minimize it. Pages don't call scripts - I keep the graphics on the server.<<

          1. sabroni Silver badge
            Thumb Up

            Re: yep, I just responded to myself.

            Now this is targetted advertising I can live with. The site owner vetting the ads and ensuring they are just static images and hosting them locally. Nice!

            1. Aitor 1

              Re: yep, I just responded to myself.

              Ad networks SHOULD be great.

              The problem is they are way to greedy, both the advertisers and the networks.

              Only properly identified individuals should be able to send anything else than a static image, and the networks should be legally responsible (in practice, not just theory) for sending malware.

      2. Pascal Monett Silver badge

        @FF22

        "Your ad blocker protects you from no malware"

        Sorry, but you're patently wrong. When the ad is the malware, blocking it protects you from it, period. The fact that there are other means of infecting you "from the same page" does not mean that ad blockers are useless, it means that you need other means of protection. Such as NoScript. Oh, and a functional brain that doesn't let you click on all those attachments promising lewd pics from a link in zip file.

      3. Anonymous Coward
        Anonymous Coward

        You realize that ads can only infect your computer the same way any web page can, and that if you block ads, malware can still get onto your computer for ex. through the very same page the you blocked the ads on, don't you?

        Has anyone ever explained to you how http actually works? Look it up, it may help. If you use an ad blocker, you block the specific queries that download from advertising networks, which means, you do not download malvertising either. Simple.

        Personally, I think that advertisers should really start to consider if they want active ads. I'm OK with static ones (well, OK, even that was once enough to breach a Windows box but I suspect they may have fixed that by now), but all this active content means you're downloading the equivalent of an executable but without the vetting you yourself normally do, and as you get a different one served it's like rolling the dice every time you visit that site. It's self evident that the ad networks do not do any checking *at all* on either customers or ads, and personally I think it's time the ad networks are made liable for this - you break it, you fix it or pay for it.

      4. Anonymous Coward
        Anonymous Coward

        @FF22

        Is that the same free independant internet that allows me to NOT view adds everywhere?

      5. Anonymous Coward
        Mushroom

        @FF22

        OK we get it, you work for, or profit from advertising agencies.

        But here is the fact. If you idiots had simply kept to static ads, this sort of crap would never happened. But oh no, you idiots decide that we wanted full screen, bandwidth hogging. video playing crap shoved down our throats.

        You have this insane idea that pissing people off is the best way to reach market....look they ARE clicking ad's, but are to stupid to realise that most times it's accidental, people desperately trying to get rid of the shit being forced upon us.

        Don't you muppets realise the most click ads are the most simple (Google & Bing search results), not some 50mb video with some shite music blaring out, all because I had the nerve to scroll down the page.

        1. Charles 9 Silver badge

          "Don't you muppets realise the most click ads are the most simple (Google & Bing search results), not some 50mb video with some shite music blaring out, all because I had the nerve to scroll down the page."

          They do. They also know they don't get clicked as people get numbed to them. It's been that way for over 100 years, as E. E. Smith even wrote about it in First Lensman, which dates back to WW2. It's hard to get through to a jaded mind, but it's their job.

    2. John Brown (no body) Silver badge

      "I don't know if the smartphones "permit" these (HOSTS I think is pretty much Windows turf) but... still, the more tools to block, the better, IMO."

      FWIW the hosts file was born long before Windows. It's how the internet worked before DNS was invented.

      1. Jamie Jones Silver badge

        Indeed! /etc/hosts even still exists on android devices

        1. tiggity Silver badge

          - hosts needs root

          Though need root access to edit, which makes it a problem for most users (reasons include rooting phone usually voids warranties, it can brick your phone / many users scared off doing it as not the simplest process, lots of software will try & detect rooted phone and if it finds rooted will not run on it, if your phone is a company phone then typically no chance of being allowed to root it etc.)

          So on (non root) android only casual user option is installing different browser (I use Firefox on android) & various defensive addins e.g. script / ad blockers, as default chrome on android lacking good defensive addins compared to rival browsers

    3. Tannin

      Well, that's the problem with Android, isn't it. No hosts file, at least not in the sense of something that you, the owner of the device, is able to control. It's seriously bad design. (Deliberately so, one presumes.)

      (Disclosure: no axe to grind here, I understand that Apple kit is as bad or worse in this regard.)

  3. ewilts

    And yet we're not supposed to block ads. Sigh....

  4. Anonymous Coward
    Anonymous Coward

    Does this install happen if installs fron third party sites are blocked?

  5. Wade Burchette

    Android Firefox works well

    The Android Firefox support uBlock, Ghostery, and many other good add-ons.

    1. sabroni Silver badge
      Unhappy

      Re: Android Firefox works well

      Pity it's noscript is so cakey.

  6. Anonymous Coward
    Anonymous Coward

    Wow, I'm impressed

    I've always said that Google was following Microsoft's earlier playbook to the letter, but to even enable drive-by vulnerabilities in the code is in my opinion going a bit far :).

    Well done Google, for producing a *nix version that is sensitive to drive-by infections. It demonstrates just how close they have the interest of their users at heart...

    1. imanidiot Silver badge

      Re: Wow, I'm impressed

      Pretty sure by now android and *nix have about as much in common as MacOS and OS/2.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow, I'm impressed

        Pretty sure by now android and *nix have about as much in common as MacOS and OS/2.

        Not quite. Both OS/2 and OSX are actually quite safe and require far less effort to remain that way (OS/2 mainly because nobody bothers writing malware, but it was quite good to start with).

  7. Anonymous Coward
    Anonymous Coward

    Liability for this sites with the web site owner!

    Just because that web site owner has delegated some content to be delivered by a third party on their behalf does not mean its not their fault.

    Take some ownership of your ENTIRE web content delivered from your web site. Maybe a few cases of successfully suing the owners of the website for this 'third-party malvertising' content they are allowing to be pushed onto their customers would make them think twice.

    Or more likely not. Most web sites are free to visit, but they require money to run (content has to be built, web servers need to be paid for, connectivity is not free...) so they prop up their revenue with adverts. I see why it's done, but since they make no effort to vet the content, I have no problem blocking the entire lot with a blunt 'No Advert' web browser add-on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Liability for this sites with the web site owner!

      I see where you're coming from, but that will only work if the site owner then goes after the advertising company. The site owner generally only chooses a provider, as far as ads are concerned they are mainly really a carrier with little control over ad content.

      The blame lies IMHO squarely by the ad channel such as Google and others - they should vet the stuff they're about to spew to gazillions of sites. I don't buy it that they cannot screen the ads with active content. I think it's more a matter of not WANTING too because that (a) clearly establishes their liability (that they already ought to have but are skirting right now) and (b) most important of all, that would reduce their profits - can't have that, better make money from the criminals too..

      The latter I'd call the Western Union approach to managing crime..

    2. Falmari
      Mushroom

      Re: Liability for this sites with the web site owner!

      Web sites that have adds are not free to visit, just you do not see the cost as it has already been paid for by others. Advertising costs money how is this cost recovered, by adding to the cost of the goods you buy.

      The way I look at it visiting sites funded by advertising is getting others to pay for your web browsing.

      Personally I would rather have an internet with no advertising and if some sites go to the wall so be it.

      1. Charles 9 Silver badge

        Re: Liability for this sites with the web site owner!

        "Personally I would rather have an internet with no advertising and if some sites go to the wall so be it."

        Even if one of those sites was your one and only favorite hobby site? And before you say another will pop up, why hasn't that happened for Kickass yet?

        1. Falmari

          Re: Liability for this sites with the web site owner!

          @Charles 9

          Yes even if it means losing a 'one and only favorite hobby site' for an Internet without advertising

  8. Whitter
    Mushroom

    Sue, sue and sue again

    Until enough web owners are made bankrupt for allowing 3rd parties access to their customers, this will never stop. The ad companies might not like it, but we are long past the point where ads can be delivered without being vetted by somebody who's job is on the line.

    1. Charles 9 Silver badge

      Re: Sue, sue and sue again

      Then it'll never happen, simply because many of the firms have become transnational, meaning they can pit sovereignty against nations that want to interfere.

  9. Ru'
    Facepalm

    I'm glad that yet again, el reg has taken the time to research this story fully, and explain how the infection is possible, if it requires additional acceptance clicks or settings etc. That's why I read articles on a tech site.

    Oh, wait.

    Doesn't matter, got my click.

  10. Anonymous Coward
    Anonymous Coward

    The gift that keeps on giving

    * Can no one sue Google over this??? Even M$ was forced to pay out recently... But of course Google owns much more political real-estate now in both the UK & US....

    * Always interesting how no one in the mainstream media ever seems to get hit! But that's ok, they've got our backs, right? Always glorying the latest app with zero discussion of the possible downsides...

    * Amazed more families haven't simply unplugged. The recent US NTIA census analysis confirms they have too, so WTF??? So many Sheeple are now firmly net addicts its probably too late... What a world!

    1. Charles 9 Silver badge

      Re: The gift that keeps on giving

      2) I recall CNN got hit with a drive-by in the past, so it HAS happened.

      3) For many the Internet is like the telephone was: an essential point of contact with your line of work and so on. Basically, unplugging means Walking On The Sun.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019