Cron has fallen

A black police vehicle, UAZ Patriot, is accelerating, chasing a cherry Renault Logan and forcing it to the roadside. The taxi driver in the Logan seems agitated, frightened even, accelerates quickly while shifting into higher gears. It has gotten dark; both cars speed close to the side of the road sweeping bushes. "Be ready to run," one of the officers warns his colleagues. "He's going to brake and flee over the fence." When the Logan finally stops, the officers act faster: with the entry team jumping out, pulling the passenger from the back seat and laying him face down in the snow.

This taxi passenger is a member of Cron, a hacker group that stole money from bank accounts of Android smartphone users. The hackers infected 3,500 mobile devices per day during the height of their operations. In total, infecting over 1 million devices!

Group-IB first learnt about Cron in March 2015: Group-IB's Intelligence system tracked the activity of a new criminal group that was distributing malicious programs named "viber.apk", "Google-Play.apk", "Google_Play.apk" for Android OS on underground forums. The hackers called this malware "Cron", hence the logic for our naming convention of the group. Cron targeted users of large Russian banks in the Top 50 standing – all of their SMS banking services were under siege during cron's operations.

According to statistics from the Russian Central Bank, 20% of the adult population in the country used mobile banking in Russia. Smartphones have become the new mobile wallet – this trend was capitalized on by cyber criminals. In 2015, 10 new hacker groups started stealing money using mobile Trojans, and the number of incidents tripled!

Why are hackers choosing Android users as a key attack target? Easy. Almost 85% of smartphones run Android OS worldwide making them an attractive target for cyber criminal groups.

It is no longer necessary to be a virus writer to steal money from users of Internet banks – ready-to-use malware can be easily purchased or rented on hacker forums. The Cron organizers had already been convicted of various crimes before their hacker attacks. It comes as no surprise that experienced criminals become hackers. Once Group-IB investigated activity of a hacker who earned up to $20 million per month through thefts in online banking.

The approach was rather simple: after a victim's phone got infected, the Trojan could automatically transfer money from the user's bank account to accounts controlled by the intruders. To successfully withdraw stolen money, the hackers opened more than 6 thousand bank accounts.

After installation, the program added itself to the auto-start and could send SMS messages to the phone numbers indicated by the criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank.

In April 2016, an announcement about the lease of a mobile Trojan called cronbot appeared on a hacker forum. According to its description, the Trojan had the functionality to intercept SMS messages and calls, send USSD requests, and perform web injections. We assumed that the criminal group decided to recruit a new member to the team, because according to the author of the announcement, they were ready to provide the Trojan to one person only. At the time, the group consisted of the organizers, operators, "cryptors", "traffickers" and money mules.

Having earned money in Russia, Cron decided to expand throughout the world. In June 2016 the criminals rented a mobile banking Trojan Tiny.z for $2000 per month. This universal tool has capabilities to attack Android devices of both Russian and international banks' customers.

Group-IB specialists detected Tiny.z in early 2016. According to analysis of the botnet control panel, this is the same panel that was used by the well-known "404" criminal group that actively attacked clients of both Russian and foreign banks. Purportedly, after the arrest of a "404" member named Foxxx in 2015, Cron modified the malicious program.

The malware authors adjusted this program for attacks on banks of Great Britain, Germany, France, the USA, Turkey, Singapore, Australia and other countries. The Trojan scanned the victim's phone for a banking application and displayed a universal window with the icon and name of the bank retrieved from Google Play that prompted the user to enter his personal data.

Cron planned to start their "international activity" with attacks targeting banks of France. They developed special web injections for the following French financial institutions: Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d'Epargne, Societe Generale and LCL.

However, by November 2016, Russian legal enforcement with support from Group-IB had managed to identify all members of the group and collect digital evidence of the crimes committed. On November 22, 2016, a large-scale operation was carried out in 6 Russian regions: 16 Cron members were detained. The last active member of the group was detained in early April in St. Petersburg.

Never miss a story on Russian-speaking cyber criminals — follow Group-IB on Twitter and LinkedIn.