Russian police arrested one of the major hackers group “Cron” that had stolen more then $890,000 from mobile bank accounts of Android users, after infecting over one million devices with a banking Trojans.
The Russian Interior Ministry announced they identified 20 suspects in Moscow and six other regions of Russia. They believe the leader of the hackers group a 30-year-old man living in the city of Ivanovo the small town about 185 miles northeast of Moscow, from where he had commanded a team of 20 people across different regions.
Group-IB, the Russian cyber security company that helped the investigation the attack with the Russian Interior Ministry, reported that Russian police arrested 16 suspects of the cyber hackers group in November 2016, while the last members of the hackers gang apprehended in April 2017 in St. Petersburg.
The hackers used an Android banking Trojan which they called this malware “Cron.” Group-IB first learned about this malware in March 2015 and tracked the activity of a new criminal hackers group that was distributing malicious programs named “Viber.apk”, “Google-Play.apk”, “Google_Play.apk” for Android on the darknet forums and promoting it disguised as real Viber and Google Play apps.
One year later, experts found that someone offered to lease an Android banking Trojan which called “CronBot” on the darknet platforms. By the statistic of the mobile malware market, the “CronBot” had been rented in 2016 up to $7000 a month, depending on the package.
The hackers targeted by the Russian police used spam text messages do deliver Trojan to the customers of the major Russian banks such as Sberbank, Alfa-Bank, and online payments company Qiwi. The text messages notified recipients with the link that their photos or ads already posted on the website. After the user visits the infected site, the banking Trojans will be downloaded on the device, tricking the people to install it. The treat disguised as known various apps such as Pornhub, Framaroot, Navitel and Avito.
After the device is infected, the banking Trojan allowed the criminals to steal and hide alerts, text messages coming from banks and redirect message to specified mobile numbers, which is under control the hackers. Many banks in Russia allow their customers to run transactions via text messages, which allow the criminals to transfer the money from the victim’s account into their mule accounts.
The cyber criminals opened more than 6,000 banks accounts where they transfer the stolen funds. According to crime investigators, every day “Cron” malware was used to steal from 50-60 clients of different banks an average of $100 from each customer. The total damage from this scheme amounted to approximately $890,000 (50 million rubles)
After the success and earn money in Russia, the group made a decision to expand through the world. At the beginning of summer 2016, they modify the mobile banking Trojan, named “Tiny.z” and rented for $2,000 per month on the darknet platforms. This tool has capabilities to attack Android smartphones Russian and International mobile banking customers.
Group-IB researchers analyzed the botnet (Tiny.z) control panel and noticed that is the same control panel that was used by the notorious criminal hackers group “404” that actively attacked customers of Russian and foreign banks. But after the arrest one of the member of “404” which nickname was Foxxx in 2015, then Cron group modified the malicious software.
The authors of the malware adjusted the software for attacks on the banks worldwide: France, Germany, United Kingdom, USA, Singapore, Australia and many other countries. The Trojan scanned victim’s smartphones for a banking app and displayed a fake window with the icon and the bank name retrieved from Google Play Store and asking the customer to enter his personal information.
The Cron gang was planning attack France first and developed web injections the following financial institutions: Assurance Banque, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL, Credit Agricole, Banque Populaire.
However, Russian police with support from Group-IB had managed to identify and arrest all of the members and disrupt their operations before they could launch new attacks.