Twenty people ended up arrested for being part of a plan to move a criminal operation into a larger part of Europe after they were able to pilfer from local banks in Russia, officials said.
Police raids also stopped plans to take the Cron malware campaign to other countries, including the UK, Germany, France, Turkey, Singapore, Australia, and the United States, said Russian security firm Group IB.
Attackers managed to steal about 50 million roubles, which equals close to $900,000, said the Russian Interior Ministry.
Compared to other similar campaigns, this is not the largest amount hackers were able to make off with, but police said the campaign was just getting started.
The raids took place in multiple regions, but it seems the leader of the group was a 30-year-old resident of Ivanovo.
Attackers were able to infect over one million devices, with 3,500 new devices being added each day, Group IB researchers said. The infection spread by pushing people to visit fake sites posing to be the likes of PornHub, Navitel (navigation service), Framaroot (used to root Android devices), or Avito (advertising site in Russia). Text messages linking to compromised websites also ended up used.
Once the victim ended up infected, the malware collected banking credentials and exploited the SMS banking services to steal people’s funds. They then transferred the money over to 6,000 accounts operated by the group’s members.
“Group-IB first learned about Cron in March 2015: Group-IB’s Intelligence system tracked the activity of a new criminal group that was distributing malicious programs named ‘viber.apk’, ‘Google-Play.apk’, ‘Google_Play.apk’ for Android OS on underground forums. The hackers called this malware ‘Cron.’ Cron targeted users of large Russian banks in the Top 50 standing – all of their SMS banking services were under siege during cron’s operations,” Group-IB researchers said in a post.