Skip to content ↓ | Skip to navigation ↓

The Russian Interior Ministry has announced the arrest of 20 individuals who helped develop and perpetrate a mobile malware campaign known as “Cron.”

On 22 May, Russian Interior Ministry representative Rina Wolf disclosed a joint effort with Russian IT security firm Group-IB designed to bring down the malware group. The collaboration culminated in a series of raids that targeted 20 individuals living in the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, and Yaroslavl as well as the Republic of Mari El.

During the raids, law enforcement seized computer equipment, bank cards, and SIM cards associated with the scheme. They also apprehended the group’s founder, a 30-year-old resident of Ivanovo.

Group-IB first learned of Cron in March 2015. At that time, it came across the group distributing malicious programs for the Android OS named “viber.apk”, “Google-Play.apk”, “Google_Play.apk” on underground digital forums. These programs all downloaded Cron, a family of malware designed to target victims’ bank accounts.

The IT security firm elaborates further on the specifics of the malware campaign:

“The approach was rather simple: after a victim’s phone got infected, the Trojan could automatically transfer money from the user’s bank account to accounts controlled by the intruders. To successfully withdraw stolen money, the hackers opened more than 6 thousand bank accounts.

“After installation, the program added itself to the auto-start and could send SMS messages to the phone numbers indicated by the criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank.”

On average, the group stole approximately 8,000 rubles ($100 USD) from a victim. Their total haul from Cron amounted to 50 million rubles, or more than $800,000 USD. Overall, the bad actors stole this money from more than a million victims, with 3,500 unique Android devices infected daily.

April 2016 announcement about the cronbot Trojan offered for rent. (Source: Group-IB)

Cron used spam SMS messages with malicious links and fake applications as its infection vectors. Given these means of delivery, Android users should avoid suspicious links, download apps only from Google’s Play Store, and keep their phones up-to-date. They should also review their bank accounts regularly and notify their financial institutions of any suspicious account activity.

News of this takedown follows more than a year after researchers discovered Android/Spy.Agent.SI, a sophisticated family of Android malware targeting the mobile apps of some of Australia’s largest banks.