Google has patched an issue with Chrome for Android’s download check that was actively abused by malware. In August researchers discovered Android malware that was distributed through the Google Adsense advertising network.The malware tried to steal internet banking data and was automatically saved as an Android executable (APK file) to the SD card of the Android device. “This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file,” Kaspersky Lab researcher Nikita Buchka writes in a blog on the website of the Russian antivirus vendor.
When informed, Google quickly blocked the malicious advertisements. The researchers then tried to figure out why Chrome allowed the download. They found that the cybercriminals behind the malware used a smart trick to save the APK file to the SD card.
They simulated a click on a download link, that was hidden inside a malcious advertisement. When the click on the download link was simulated, the APK file was downloaded in several parts and each part was encrypted. By using this method, the cybercriminals bypassed the download notification that Chrome would normally show and that would ask the user whether he wanted to save the file.
When the download was succesful, the malware still had to become active and to achieve that, the APK still had to be installed. To convince an user to install the APK, it tried to pretend being an update of a popular app.
Google has now patched the issue. Users who don’t browse with Chrome on Android are not affected by the issue, they are asked whether they want to save the file or not.