Android Malware Targets Online Banking Russian Users, Infects 1 Million Devices

Reynaldo Pagsolingan Jr.

By: Reynaldo Pagsolingan Jr. | Squeeze | Published August 16, 2017 | Updated December 10, 2017


In November 22 last year, 16 members of Russia-based hacking group called “Cron” were arrested after tricking customers of Russian banks into downloading malware through fake mobile banking applications, as well as via pornography and e-commerce programs. Cron, which was named after the malware it used, specifically targeted Android devices.

According to security company Group-IB, Cron was first detected in mid-2015 distributing malicious programs named “viber.apk”, “Google-Play.apk”, and “Google_Play.apk” on underground forums before it infected more than a million smartphones in Russia in 2016, which averaged 3,500 a day.

The campaign victimized customers of Sberbank, Alfa Bank, and online payments company Qiwi, exploiting SMS text message transfer services that they provide to users. The group managed to earn more than 50 million roubles ($892,000) from its exploits that lasted under a year by time of the arrest. The prevalence of SMS-banking services in Russia attributed to the success of the group’s campaign. Group-IB said that statistics from the Russian Central Bank show that 20% of the adult population in Russia used mobile banking.

The approach of Cron was rather simple in nature: after an end user’s phone got infected, the Trojan would automatically transfer money from the user’s bank account to accounts controlled by the intruders. In order to withdraw the stolen money, the hackers opened more than 6 thousand bank accounts.
Upon installation, the program will add itself to the auto-start and could send SMS messages to the phone numbers indicated by the cyber criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank.

The hacking group had two ways to spread the malware. The first one was through the delivery of spam SMS messages with a link to a website infected with the banking Trojan. The message reads: “Your ad is posted on the website ….”, or “your photos are posted here.” After the user visits the compromised website, the malware will be downloaded on the device, deceiving the victim to install it.
The second method was through infected applications. The end user could install the malicious program on the phone by downloading fake apps masquerading as legitimate ones. The Trojan then is distributed under the appearance of such applications as Navitel, Framaroot, Pornhub, or Avito.

Increasing Number of Malicious Fake Apps

Mobile malware’s disruptive impact on end users continues to see an uptick as smartphones become an increasingly preferred platform to flexibly access and manage data. Cron is just the latest of the growing number of attacks on the Android OS. Cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps early in 2016, and the same thing happened to another Nintendo property, Super Mario. Very recently, a Trojan named Bankbot was discovered posing as a legitimate service that aimed to steal online banking and other credentials by popping up fake login windows over legitimate banking and other apps.

Show comments