Police swoop on gang that planted banking Trojan on 1m phones

Russia’s Ministry of Internal Affairs has busted a gang that infected more than 1m Android devices with a banking Trojan that forced the devices to make transfers and intercepted the banks’ text messages, the MIA announced on Monday.

The MIA said the so-called Cron gang had managed to siphon off more than 50m rubles – about $890,000, or £684,000. The ministry was helped by the Russia-based security outfit Group-IB, which said that the Cron crooks were nabbed right before they were going to unleash another malware on customers of French banks.

Group-IB first caught wind of the Cron crooks in March 2015 when its intelligence system picked up on a new criminal group distributing malicious Android packages named viber.apk, Google-Play.ap, and Google_Play.apk on underground forums.

The hackers themselves called the malware Cron, so that’s what Group-IB called the gang.

Here’s how the heist worked: first, to infect an Android device, the gang had a few tricks. One was to spam out text messages with a link to a website rigged with the banking Trojan.

The message read either:

Your ad is posted on the website…


Your photos are posted here.

Another infection vector was fake apps: malware disguised as legitimate applications such as Navitel, Framaroot, Pornhub and Avito.

The Cron gang also advertised. They planted links to compromised sites that showed up as top search results when people searched “mobile app” with the name of a bank. The phishing sites were set up to look just like an official bank site.

After a victim’s phone was infected, the Trojan could automatically transfer money from the user’s bank account to accounts controlled by the gang. To withdraw the stolen funds, the hackers opened more than 6,000 bank accounts.

After installation, the malware added itself to auto-start. It had the power to send SMS messages to the phone numbers indicated by the criminals, to upload SMS messages received by the victim to command and control servers, and to hide text messages coming from the bank.

The gang was very busy: every day, on average, the gang infected 3,500 devices. And every day, the Cron malware tried to sneak money out of the bank accounts of between 50 and 60 victims. The average theft was about 8,000 rubles ($100).

By April 2016, the Cron crooks were ready to expand. They took to a hacker forum to announce the lease of a mobile Trojan called cronbot that purportedly could intercept SMS messages and calls, send USSD requests – that’s a GSM cellular phone protocol used to communicate with a service provider’s computers – and perform web injections.

It was only offered to one person, which led Group-IB to assume that the gang decided to recruit a new member. As it was, the group consisted of organizers, operators, “cryptors”, “traffickers” and money mules.

Another sign that the Cron gang was expanding beyond Russia came in June 2016, when the team rented a mobile banking Trojan, Tiny.z, for $2,000 a month. The tool was capable of attacking Android devices belonging to the customers of both Russian and international banks.

The Cron crew tweaked Tiny.z to attack banks in Great Britain, Germany, France, the USA, Turkey, Singapore, Australia and other countries. The Trojan scanned the victim’s phone for a banking application and displayed a universal window with the icon and name of the bank retrieved from Google Play that prompted the user to enter their login.

France was first on the list of targeted countries: the gang tailored web injections for the financial institutions Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.

The French assault never happened. By November 2016, Russian police had identified all 20 gang members and collected digital evidence of their crimes. Between November 2016 and April 2017, they carried out 20 raids in six regions of Russia, arrested 16, and now have four under house arrest. The last arrest took place in April when police arrested a man in St. Petersburg.

Cron-b-gone: fending off Play Store malware

Now, to walk this epic bust back to the initial infection vectors: you might wonder how nastyware like Cron gets past Google’s vetting procedures to keep out booby-trapped apps.

When you look at the numbers, it’s not hard to understand. As fellow Naked Security writer Paul Ducklin has explained , as of January 2016, there were about 50,000 new apps being admitted to Google Play each month. At this point, it’s accelerated: the current number was near 55,000 apps for this month, feeding into a total of nearly 3m apps.

Google’s good, but it’s not perfect. During 2015, malware samples from more than 10 different families made it past Google’s checks and were installed more than 10m times.

If you’re curious to know how crooks slip past Google’s safeguards, you’ll want to read the article The Secrets of Malware Success on Google Play Store, from SophosLabs’ Rowland Yu.

And if you want to inoculate yourself against Android malware, these are the three primary tips we pass along:

  • Install patches for your device as soon as they are available. (Sadly, for some devices, that’s rarely or never.)
  • Use a product such as Sophos Free Antivirus and Security to keep an eye out for malware, dodgy websites, adware and other potentially unwanted apps.
  • Turn off Allow installation of apps from unknown sources in the Android security settings if you can.

It’s also worth noting that it’s smart to avoid clicking on URLs in emails, in text messages or on social media, even if you think a message is coming from somebody you know. Such links can be rigged with malware.

Also, stick to downloading apps from official app stores or official websites. Even though Google’s Play Store has a sizable chunk of malware apps, it’s still likely a safer bet than clicking on a random link sent by who-knows-who posing as your best buddy or your boss.