22 May

Group-IB has helped to detain the Cron gang – cyber criminals who managed to infect 1 mln devices

A large cyber gang that has stolen tens of millions of rubles by means of attacks on mobile devices of Russian banks’ clients has been recently disrupted by Russian MIA with an active help of Group-IB. The groups statistics are: over 1 million mobile devices infected, thousands of cases of thievery with an average amount of theft exceeding 100 USD. According to Group-IB, Cron were preparing to attack clients of several French banks.

The operation involving arrest of the main part of the cyber gang was held on November 22, 2016 – on that day 16 of its members were simultaneously detained in 6 regions of the Russian Federation. The core gang members were detained in the city of Ivanovo.

Group-IB has helped to detain the Cron gang - cyber criminals who managed to infect 1 mln devices

The actions of the criminal group distributing malware called «Cron» (CZK) for Android OS have been first detected by Group-IB Intelligence system in mid-2015. After infecting the victims phone, the malicious intruders program obtained the opportunity to make transfers from their bank account to an account controlled by attackers. Cron program has the ability to send SMS-messages to the phones possessed by criminals, to send SMS-messages received by victims to remote servers, as well as to hide the incoming notification via SMS from the bank.

In less than a year, the Cron gang managed to infect more than 1 million mobile devices in Russia. On average, every day they managed to infect 3,500 devices. The total damage from the activities of Cron is more than $900,000. After infecting the phone, the malware automatically tried to transfer money to hackers bank cards and phones. Hackers have opened more than 6,000 accounts. Every day, the malware performed 50 to 60 attempts to steal money from customers of different banks. The average volume of thefts has been about $120.

Malware spread in two main ways:

1. With the help of contextual advertising. After searching “mobile app * name * Bank”, the victim saw compromised sites among the top search results. On these sites the malicious content was located – an application for mobile internet banking (for Android OS) disguised as an official RBS application. The installed application shows a phishing page created in accordance with the visual style of the bank.

2. The victim could download the malware by downloading a fake app disguised as a legitimate one. Trojan spread in disguise of the following apps: Navitel; Framaroot; Pornhub; Avito.

The group operated in the territory of Russia, but of particular interest is the fact that in June 2016 it rented a mobile banking Trojan «Tiny.z» – a universal malware under Android, aimed at customers not only Russian, but foreign banks – for $2,000 a month.

The creators of «Tiny.z» have adapted this program to attack the banks of UK, Germany, France, USA, Turkey, Singapore, Australia and other countries. The mechanism of action of malware: Trojan searched the victim’s phone for banking application and made a pop-up of a universal window for entering personal data, which substituted the icon and the name of the bank, as taken from Google Play.

According to our Hi-Tech Crime Trends Report in 2016 mobile Android Trojans caused total losses of over $6 mln, which reflects an increase of 471%, compared to the previous reporting period. The reason why Android users became the main victims is quite obvious – 85% of the smartphones globally are Android-based.

Dmitry Volkov

Head of Threat Intelligence Department
and сo-founder Group-IB

For the first series of infection attempts Cron chose a few French banks. To this end, they have developed special injects for Credit Agricole, Assuarance Banque, Banque Populaire, BNP Paribas, Boursorama, Caissee Pargne, Societe General and LCL. However, they did not have the time to use the malware.

More details on the investigation are available on Group-IB official blog

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident