Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware

Pierluigi Paganini May 25, 2018

Moscow, May 24, 2018 – law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.

At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. During the suspect’s arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/ prosecution continues.

mobile malware

Seems, we need to keep our mobiles safe. Well, this is not the first case of stealing. We’ve seen many cases in the past too. One of the cases happened on March 2018 – in which a malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said. Researchers called it a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software.

Many people have a question about torrenting. Millions of the people don’t know whether torrenting is legal or illegal. Well, torrenting carries risks. Authorities will catch and punish you if you torrent copyright material. Also, there is a risk of downloading infected files. All you need is the best tool or any software that will keep you safe from this kind of threats.

I have reached Sergey Lupanin, Head of cyber investigation department, Group-IB for a comment:

“Actually this trojan is quite simple and private, means there is no any descriptions or screenshots on Dark-web forums. And it’s early versions didn’t interact with any mobile banks services. Users entered their card data and permitted this application to work with SMS-messages.

Trojan used https protocol with a self-signed certificate to work with C2 servers and sent user’s card data to the actor. The actor entered this data (which included card number, cvv code, expiration date, and owner name) to card2card service. User received SMS with transaction authorization code, that was intercepted by this application and sent to Actor for transaction approval. And that’s it. Later this trojan received addition functionality – ability to work with mobile banks via SMS, thus not requiring from Threat actor to use any Card2Card service.”

About the author: Group-IB

Original post availale here

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – mobile malware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment