22 May

Group-IB has helped to detain the Cron gang – cyber criminals who managed to infect 1 mln devices

A large cyber gang that has stolen tens of millions of rubles by means of attacks on mobile devices of Russian banks’ clients has been recently disrupted by Russian MIA with an active help of Group-IB. The groups statistics are: over 1 million mobile devices infected, thousands of cases of thievery with an average amount of theft exceeding 100 USD. According to Group-IB, Cron were preparing to attack clients of several French banks.

The operation involving arrest of the main part of the cyber gang was held on November 22, 2016 – on that day 16 of its members were simultaneously detained in 6 regions of the Russian Federation. The core gang members were detained in the city of Ivanovo.

Group-IB has helped to detain the Cron gang - cyber criminals who managed to infect 1 mln devices

The actions of the criminal group distributing malware called «Cron» (CZK) for Android OS have been first detected by Group-IB Intelligence system in mid-2015. After infecting the victims phone, the malicious intruders program obtained the opportunity to make transfers from their bank account to an account controlled by attackers. Cron program has the ability to send SMS-messages to the phones possessed by criminals, to send SMS-messages received by victims to remote servers, as well as to hide the incoming notification via SMS from the bank.

In less than a year, the Cron gang managed to infect more than 1 million mobile devices in Russia. On average, every day they managed to infect 3,500 devices. The total damage from the activities of Cron is more than $900,000. After infecting the phone, the malware automatically tried to transfer money to hackers bank cards and phones. Hackers have opened more than 6,000 accounts. Every day, the malware performed 50 to 60 attempts to steal money from customers of different banks. The average volume of thefts has been about $120.

Malware spread in two main ways:

1. With the help of contextual advertising. After searching “mobile app * name * Bank”, the victim saw compromised sites among the top search results. On these sites the malicious content was located – an application for mobile internet banking (for Android OS) disguised as an official RBS application. The installed application shows a phishing page created in accordance with the visual style of the bank.

2. The victim could download the malware by downloading a fake app disguised as a legitimate one. Trojan spread in disguise of the following apps: Navitel; Framaroot; Pornhub; Avito.

The group operated in the territory of Russia, but of particular interest is the fact that in June 2016 it rented a mobile banking Trojan «Tiny.z» – a universal malware under Android, aimed at customers not only Russian, but foreign banks – for $2,000 a month.

The creators of «Tiny.z» have adapted this program to attack the banks of UK, Germany, France, USA, Turkey, Singapore, Australia and other countries. The mechanism of action of malware: Trojan searched the victim’s phone for banking application and made a pop-up of a universal window for entering personal data, which substituted the icon and the name of the bank, as taken from Google Play.

According to our Hi-Tech Crime Trends Report in 2016 mobile Android Trojans caused total losses of over $6 mln, which reflects an increase of 471%, compared to the previous reporting period. The reason why Android users became the main victims is quite obvious – 85% of the smartphones globally are Android-based.

Dmitry Volkov

Head of Threat Intelligence Department
and сo-founder Group-IB

For the first series of infection attempts Cron chose a few French banks. To this end, they have developed special injects for Credit Agricole, Assuarance Banque, Banque Populaire, BNP Paribas, Boursorama, Caissee Pargne, Societe General and LCL. However, they did not have the time to use the malware.

More details on the investigation are available on Group-IB official blog