Malware That Fakes Bank Login Screens Found In Google Ads

tedlistens quotes a report from Fast Company: For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers. In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers. Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users." "By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM! -- no additional clicks or following links required." The good news is that the issue has since been resolved, according to a Google spokeswoman. Fast Company provides more details about these types of attacks and how to stay safe in its report.

Please log in to slashdot.

In order to view this post, please reply to it by logging into your slashdot account. Please enter your username and password in the reply box and press the "preview" and "submit" buttons.

And publishers complain about ad blockers

[Solandri]

It's because your ad business model is broken. How long will it take before you admit to yourselves that accepting random scripted ads from an insecure third party ad farm totally out of your control is stupid? Either vet the ads yourself (and accept responsibility if you let a malicious ad get through), or contract it out to a third party security service which does it for you.

Too hard you say? Here's a hint: If the only ads you allow are a static JPEG which clicks through to the advertising site, you've done your job. Newspapers and magazines got along just fine for over a century with static ads. Advertisers don't need scripting, and in fact they've demonstrated they're too immature to be given the power of scripts.

Re:And publishers complain about ad blockers

[Dutch+Gun]

Safe is not a binary yes or no. It's more of a spectrum.

At one end, we have static HTML with no scripting, and a modern browser with robust content interpreters, hardened over the last two decades. We're not likely to get infected with a jpeg file or random HTML parsing flaws anymore (although it's not impossible more flaws will be found - look at Android's StageFright bugs). Besides, you notice that article was written in 2004, right? If you're using a circa 2004 browser or unpatched OS, it's your own damned fault for whatever happens.

On the other end of the web browsing safety spectrum, you have Flash and random ads that may or may not be served from an unvetted server in Bosnia, that have full access to a very powerful interpreted scripting engine, and with one tiny flaw, can infect your computer. Or, they'll bombard the user with scamware or phishing attacks to trick them into giving them access. It ends up the same either way.

Given that allowing ads or running Flash exposes us to significant risk for no gains, it's a pretty simple choice to make for informed folks. Oh, and I'm not vehemently anti-ad. For instance, I don't mind the ads on Slashdot, and have never turned them off. I figure they're safe enough and hopefully make the site a bit of money.

can we please stop pretending?

would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements

Can we please stop pretending that computers "automatically" do things, as if they are some magical entity that is not subject to understanding? They do what they are programmed to do, and configured to do within that programming.

Ads do not "automatically" download jack shit. They download things if you are allowing unknown remote sites to run scripts without your explicit approval. Almost always that happens because Javascript was enabled by default, which we have seen about 1000000 times is a security clusterfuck. Almost all such events happen only because someone said, "Sure! I don't care who the other party is, I'm just fine with them running code I haven't seen on my computer, automatically, by default. No no, really, it's fine! Go right ahead. I don't care what you want to do. Behavioral tracking, malware downloading, anything you want! Go for it! Door's wide open."

This is no smarter than letting anyone, at any time, use your house for any purpose they might want, "as long as they promise to stay in the living room". Drug cartels? Mafia? Human traffickers? It's all good! No, I don't need to approve the uses of my house, I'm willing to let literally anyone in the world use it for any reason. Later on, I'm going to act mystified about why the SWAT team just showed up, my house is on fire, there's a dead body in the kitchen, and the neighbors are running around screaming. There can't possibly be any connection between that, and my default-allow policy.

If you wouldn't do that with your house, why would think it's any smarter to do it with your computer?

Ads have long been a risk to security

[melting_clock]

Unfortunately for sites that rely on advertising to survive, malware delivery through ads is nothing new and this forces many people to block ads as part of their online security. This is not because the sites they visit are not trustworthy. It is simply due to the fact that not every advertiser can be trusted and the companies serving ads have failed to effectively prevent malware getting on to their networks. Criminals distributing their malware through ads are able to reach legitimate web sites that they would be unable to compromise, expanding their reach to a larger audience and making it an attractive option.

Many of us would be happy to view ads to support our favourite sites but are unwilling to take the risk. Antivirus software can only protect against known threats so, when new malware is constantly being discovered, their success rate of detection can never be 100%. Antivirus software forms part of a sensible online security plan but it does not replace ad blocking or blocking third party scripts.

Re:Ads have long been a risk to security

[wickerprints]

Precisely. Your point is proven by the fact that these trojans are finding their way onto Google AdSense: it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.

But, a little context is also worth mentioning. The original web ads used to be things like banners, or animated GIFs, usually with cheesy flashing graphics. These are still around of course. They used to be nothing more than static content that would serve a link if clicked. But as they became ubiquitous, users quickly to ignore them. So advertisers resorted to increasingly intrusive ads, like the dreaded pop-ups, which users quickly learned to close, followed by pop-unders or persistent pop-ups powered by scripting that would simply load another pop-up if the original window was closed. These resulted in browser-side blocking of pop-ups. Advertisers then escalated to overlays and interstitial ads, intercepting or obscuring the desired content. Of course, in all of this, there was always some share of shady ads, things that tried to trick the user in some way by pretending to be something it was not. But the trend has always been an arms race of increasingly intrusive and difficult to block advertising, versus increasingly more sophisticated methods to block.

This is why we are where we are today. Online advertising has a long and consistent history of being untrustworthy, malicious, and disrespectful of user preferences. Blocking is the natural reaction to such tactics. On the other hand, when people follow certain kinds of online content--product reviews on YouTube, Facebook, and Twitter--this is the way online advertising must evolve. It must evolve away from advertisers attempting to force-feed ads to users whether they wish to see it or not. Even when I know what I'm watching or reading is a paid endorsement or sponsored content, if I *choose* to look at it, that is worth far more than being forced to click through an overlay. If I cannot unblock the content without running some shady JavaScript, I simply move on.

Re:Ads have long been a risk to security

[phantomfive]

it definitively shows that the only remedy is to block all ads because the content providers, ad networks, and other facilitators, cannot be trusted to not serve malware to the end user.

I'll go beyond that: if you browse the net without adblock, you are irresponsible. If you help someone with their computer, and don't set up adblock, you are irresponsible. If you are a sysadmin and don't have adblock on your computers by default, you are irresponsible and should be fired.

Ad Blocking

[duke_cheetah2003]

And once again, Ad Blocking is justified. Those darn ads can be outright dangerous, which computer people have been saying for years.

Simply put, if companies can't be bothered to vet the ads they're serving, we can't be bother viewing any ads at all. Clean it up, already.

Re:WTF????

[duke_cheetah2003]

"It then prompts users for administrative rights..."

Why would you give admin rights to something you didn't explicitly download?

You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?

advertisement is evil

[Tom]

And with that, all the "good advertisers" bullshit is dead. Not just scammy and shady ad networks deliver malware. Advertisement is evil and needs to die, at least the way it is handled right now. The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".

I like product information, for example. I'm a big fan of sites that compare products. These days, there are a thousand mobile phones, or printers, or vacation destinations, or chairs or cars or really anything, and it's not easy to find the one that's perfect for you.
There's also new and interesting stuff coming out all the time, and most of us miss most of it. Something that focusses on these aspects, on the customer desires, that would be wonderful.

Good ads

[fyngyrz]

Ads can be good. They can enable commerce and content. Responsible advertising contains a combination of three things: a still image, and/or text, and a link. IOW: an HREF element, and within that, an IMG element and/or perhaps (preferably) some textual content. No scripts other than what's required to actually serve the ad, no videos, no animations, no scraping of user-specific information.

Anything/everything else is abuse.

Remember when Google was all about text ads?

Google's ethics cancer took care of that. For myself, I don't see many ads any longer. The status quo is to attempt to abuse me; fine. The status quo on this end is to block ads.