A Russian cyber hacking group, “Cron” has used malicious apps and software to infect around 1 million android smartphones and steal 50 million roubles (around £677,000 or $892,000) from domestic bank customers. According to Group-IB, the cyber security firm investigating the attack with the Russian Interior Ministry, the group infected smartphones at a rate of 3,500 devices a day.
The group of 20 hackers had purchased a more powerful piece of malware and it was planning to expand the attack to European financial leaders before being arrested. The core members of the group were arrested on November 22 last year. The group began targeting French firms Credit Agricole, BNP Paribas and Societe General but no funds were stolen from customers.
The cron group, named after the malware they used-disguised the malware as fake banking applications, ecommerce and pornography web clients. When Android users in Russia searched online, the search engine results would suggest the fake apps and users would be tricked into downloading the phony version. After having control over the infected smartphone, hackers were able to send SMS messages to the mobile users’ banks instructing the transfer of money- up to $120 to one of the 6,000 fraudulent accounts. They intercepted the transaction confirmation codes, preventing the victims from receiving messages notifying them about the transaction. The attack was able to bypass two-factor authentication features that would require a user to enter a secondary code—often sent via text message—to confirm their identity.
“Cron’s success was due to two main factors,” Dmitry Volkov, head of investigations at Group-IB, said in a statement. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”
They targeted customers of Sberbank, Alfa Bank, and online payments company Qiwi, exploiting SMS text message transfer services.
“Group-IB first learnt about Cron in March 2015: Group-IB’s Intelligence system tracked the activity of a new criminal group that was distributing malicious programs named ‘viber.apk’, ‘Google-Play.apk’, ‘Google_Play.apk’ for Android OS on underground forums,” explained the cyber security company.
The situation came to light when sources close to the investigation tipped off Reuters.
The Russian hackers rented a “Tiny.z,” a piece of malware designed to attack checking accounts systems, for $2,000 a month in June 2016, and adapted it to target European banks in Britain, Germany, France, the United States, and Turkey, among other countries.
Luckily for the people with infects smartphones and unfortunately for the hackers, only small sums can be transferred via SMS instructions, so despite the volume of devices affected, the amount of money the hackers stole was not astronomical.
A total of 16 people have been arrested thus far in relation to the case, including a 30-year old man who is believed to be the leader of the group operating across six different regions of Russia.
The exploit highlighted the dangers of SMS messages in mobile banking. SMS banking services are used in Russia to help people living in isolated areas, where access to banks is not easy. But security always has to outweigh consumer convenience.