Russian raids sweep up 20 malware scum

Cron job aborted after crims scoop ₽50m and share it to 6,000 bank accounts

The Russian Interior Ministry has announced the arrest of 20 people following raids related to a malware campaign dubbed “Cron” which had been emptying victims' bank accounts.

A Russian security company, Group IB, reckons the raids also thwarted plans to take the campaign international – to Great Britain, Germany, France, the USA, Turkey, Singapore, and Australia.

The ministry says the campaign netted 50 million roubles (around US$883,000) – a relatively paltry amount, indicating the plot collapsed before it got a full head of steam.

The raids were widespread, including people living in the “Ivanovo, Moscow, Rostov, Chelyabinsk and Yaroslavl regions and the Republic of Mari El”, and the ministry says the group was organised by an unnamed 30-year-old resident of Ivanovo.

Group IB, acknowledged by the Interior Ministry as a partner in uncovering the malware group, says the malware scum infected more than a million devices, at the rate of “3,500 mobile devices per day”.

Infections were spread either by booby-trapping apps counterfeiting sites like PornHub, Navitel (navigation), Framaroot (to root Androids), or Avito (a Russian classified advertising site); or via text messages linking to compromised Websites.

The packages Cron dropped on victims were named "viber.apk", "Google-Play.apk", and "Google_Play.apk". Once the victim was infected, the malware grabbed their banking credentials and exploited SMS banking services to steal their funds.

The money was transferred into more than 6,000 bank accounts operated by Cron members, Group IB says, and the group probably bought its tools on a Trojan-trading site sometime after August 2016. ®


Biting the hand that feeds IT © 1998–2017