Skolkovo’s resident cybercrime sleuths Group-IB have helped Russia’s Interior Ministry catch a gang of hackers suspected of using a Trojan virus to steal money from more than one million bank accounts via mobile banking apps, the ministry said Monday.
Sixteen arrests were made in November, and the last gang member was detained last month. Photo: Group-IB.
The hackers infected more than a million smartphones with a Trojan programme and stole more than 50 million rubles ($883,000), according to police.
“The gang members were using malware that enabled them to get unauthorized access to smartphones using a certain mobile operating system, and with the help of undetected commands sent via SMS, to transfer money to accounts opened in advance,” the Interior Ministry said in an online statement, noting that the investigation had involved employees of the ministry’s K division which deals with cybercrime, as well as police investigators from the Ivanovo region, with “active assistance” from Group-IB.
Group-IB first became aware of what it calls the Cron gang back in March 2015, when the company’s cyber intelligence system tracked the activity of a new criminal group that was distributing malicious programmes named Viber.apk, Google-Play.apk and Google_Play.apk for Android OS on underground forums, Group-IB, a resident of the Skolkovo Foundation’s IT cluster, said in a blog post.
“The hackers called this malware ‘Cron,’ hence the logic for our naming convention of the group. Cron targeted users of large, top 50 Russian banks – all of their SMS banking services were under siege during Cron's operations,” the company said.
“The approach was rather simple: after a victim's phone got infected, the Trojan could automatically transfer money from the user's bank account to accounts controlled by the intruders. To successfully withdraw stolen money, the hackers opened more than 6,000 bank accounts,” Group-IB said.
Police seized computers and hundreds of bank cards and sim cards in false names in raids across 6 Russian regions. Photo: Group-IB.
“After installation, the program added itself to the auto-start and could send SMS messages to the phone numbers indicated by the criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank,” the company explained.
The hackers infected 3,500 mobile devices per day during the height of their operations, and the average theft was about 8,000 rubles ($140), said Group-IB, which investigates about 80 percent of high-profile cybercrimes in Russia and the Commonwealth of Independent States and has developed advanced threat intelligence systems to analyse a company’s weak spots and predict what form an attack might take.
The gang comprised 20 people based in the Ivanovo, Moscow, Rostov, Chelyabinsk and Yaroslavl regions, as well as Russia’s republic of Mari El, while the ringleader was a 30-year-old resident of the city of Ivanovo, the Interior Ministry said.
The gang members were arrested and 20 searches carried out, during the course of which investigators seized computers and hundreds of bank cards and sim cards in false names, police said. The last gang member to remain at large was apprehended last month, said Group-IB, adding that the initial raids and arrests took place back in November.
Those arrests were made when the criminal gang, having stolen millions of rubles in Russia, set its sights on banks in the U.K., Germany, France, the U.S., Turkey, Singapore, Australia and other countries, according to Group-IB, which said that Cron intended to start its international expansion by targeting French banks.
“However, by November 2016, Russian law enforcement with support from Group-IB had managed to identify all members of the group and collect digital evidence of the crimes committed,” said Group-IB.
“On November 22, 2016, a large-scale operation was carried out in six Russian regions: 16 Cron members were detained. The last active member of the group was detained in early April in St. Petersburg,” the company said.
Hackers are now using Trojans to target mobile phones and tablets over PCs, according to Group-IB. Twenty percent of Russian adults use mobile banking, said the company, citing central bank statistics.
“Smartphones have become the new mobile wallet, and this trend was capitalized on by cyber criminals. In 2015, 10 new hacker groups started stealing money using mobile Trojans, and the number of incidents tripled,” says Group-IB.
According to 2015 year-end results, losses of online banking users from attacks employing Android Trojans amounted to over $1 million, the Group-IB statement said, adding that hackers target Android users because almost 85 percent of smartphones run Android OS worldwide.
Group-IB’s head Ilya Sachkov warned back in December at Skolkovo’s CyberDay conference that mobile devices running Android were being targeted by hackers.
“Using Android devices is a huge risk,” he told the conference.
For tips on how to avoid falling victim to an Android Trojan and to read the full dramatic story of Group-IB’s role in catching the Cron gang, see the company’s blog post.