Investigators have reportedly stated that Russian cyber criminals have used malware installed on Android mobile devices to steal from Russian banks and their customers, and were also planning further virtual raids on European banks at the time of their arrest. According to Group-IB, a cyber security firm which investigated the attack along with the Russian Interior Ministry, the hackers tricked customers of the Russian banks into downloading fake mobile banking apps and e-commerce programs among other software which contained the malware known as “Cron.”
Two sources who are close to the case said that the hackers exploited weaknesses in the companies’ SMS text message transfer services to steal money from accounts at Alfa Bank and Qiwi, an online payments company. Sberbank, a state-backed lender was also targeted using the same vulnerabilities in the service which allows Russian users to transfer small sums of money to other accounts through sending a text message. When the malware had been planted onto the unsuspecting victim’s phones, the criminals sent text messages from the devices instructing banks to transfer money to accounts controlled by the hackers. Lukas Stefanko, a malware researcher at ESET pointed out that this situation illustrates the dangers of using text messages for mobile banking, a preferred banking method in countries which have less advanced internet capabilities.
The cyber-gang, who called themselves “Cron” after the malware it used, raised more than 50 million roubles ($892,000) with this attack. It has also been revealed since that the gang had managed to obtain a more sophisticated software in order to target the clients of the French banks Credit Agricole, Societe Generale, and BNP Paribas, and possibly also lenders in other western countries, although they were only operating in Russia at the time of their arrests. Group-IB said that in June 2016 they had rented malware called “Tiny.z” which was specifically designed to attack mobile banking systems for $2,000 a month. The creators of this malware had also adapted it for targeting banks in Britain, France, Germany, Turkey, the US, and other Western countries.Group-IB confirmed that sixteen suspects had been arrested in connection to the case by Russian officials in November last year. It was estimated that Cron had infected in excess of a million smartphones in Russia, on average infecting 3,500 new devices a day.