Russian Android malware infects millions of phones, drains bank accounts

Can cops and hackers track your phone
blurAZ/Shutterstock

Hackers used mobile malware to steal hundreds of thousands of dollars from bank customers. That’s according to Reuters, which reported on May 22 that cybercriminals tricked Russian users of Google’s Android operating system into downloading malicious apps.

The group of 16 Russian hackers, operating under the code name “Cron” after the malware they used, disguised the malware as fake banking applications and pornography web clients. When Android users in Russia searched online, the search engine results would suggest the fake apps.

The core members of the group were arrested on November 22 last year, before they could mount attacks outside Russia. But according to Group-IB, the cyber security firm investigating the attack with the Russian Interior Ministry, the Cron group infected more than a million smartphones in Russia at a rate of 3,500 devices a day.

“Cron’s success was due to two main factors,” Dmitry Volkov, head of investigations at Group-IB, said in a statement. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”

They targeted customers of Sberbank, Alfa Bank, and online payments company Qiwi, exploiting SMS text message transfer services. The group sent texts from infected devices instructing the banks to transfer money to the hackers’ accounts — up to $120 to one of the 6,000 fraudulent accounts. And they intercepted the transaction confirmation codes, preventing the victims from receiving a messages notifying them about the transaction.

They’d planned to go after large European banks including French lenders Credit Agricole, BNP Paribas, and Societe General, according to Group-IB.

Cron malware, which was first detected in mid-2015, had been in use for more than a year before the arrests. The Russian hackers rented a “Tiny.z,” a piece of malware designed to attack checking accounts systems, for $2,000 a month in June 2016, and adapted it to target European banks in Britain, Germany, France, the United States, and Turkey, among other countries.

Lukas Stefanko, a malware researcher at cyber security firm ESET in Slovakia, told Reuters that the exploit highlighted the dangers of SMS messages in mobile banking.

“It’s becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people,” he said. “For them it is quick, easy, and they don’t need to visit a bank … But security always has to outweigh consumer convenience.”