Criminal gang behind 1 million infected Android devices rolled up

The Russian authorities have rolled up a criminal gang that infected more than one million Android devices with banking malware to steal money from bank accounts. This was disclosed today by the Russian security company Group-IB.

The “Cron gang” appeared on the radar for the first time in 2015. In forums for criminals, the gang offered the “Cron malware”, which featured the chat app Viber and Google Play. Once active on a device, the malware tried to transfer money from the victim’s bill to criminal accounts. In total, the criminals opened more than 6000 bank accounts, which was converted to 960,000 euros.

The Cron malware was able to send sms messages to phone numbers given by the criminals. The malware could also upload received text messages and hide the bank’s text messages. To spread the malware, sms messages with malicious links and infected applications were used. This way more than 1 million Android devices were infected.

The Cron malware focused on popular Russian banks. The gang would, however, have plans to attack banks in other countries, with France being chosen as the first country. For example, “webinjects” were developed for several French banks.

By the end of 2016 all gang members were mapped and sufficient evidence was collected. On November 22, a large-scale operation took place in Russia where several gang members were detained. The last fugitive was arrested in early April this year.

According to Group IB, Android users are particularly vulnerable to security threats and should be “extremely careful”. It is recommended not to open any links in email or social media messages, even if they come from acquaintances. In addition, mobile applications must be downloaded only through Google Play.