Suspected Android malware gang arrested in Russia

News by SC Staff

The Russian Ministry of Internal Affairs' Administration ‘K' , with assistance from the security service of the country's largest bank, Sberbank, and private emergency response company Group-IB - using its Bot-trek cyber intelligence and forensics analysis - have identified, arrested and charged four people from the Chelyabinsk Region for suspected involvement in malware attacks against Android mobile devices of Russian bank customers. Separate reports say that a 25-year-old, believed to be the creator of the malware, was arrested earlier.

Group-IB describes on its website how the gang, which it dubbed, ‘The Facists' for their use of Nazi symbols in the management system of their Svpeng software, itself called, ‘The fifth Reich', mailed SMS texts containing a fake link for Adobe Flash Player. This would download a Trojan to request credit card account balances tied to the mobile device and then make payments to the fraudsters' accounts. Several laptops have been seized along with a dozen of mobile phones and a large number of SIM-cards.

Described in earlier reports as the Svpeng gang, the Svpeng malware used by this group first appeared in July 2013 and is said to be clearly designed to steal money from bank accounts. It has since evolved and new functionality added allowed it to commit theft more efficiently. It has used the specific SMS that is sent to the bank, and later the gang collected credit card data using phishing-sites. The malware opens a new window on top of the Google Play interface and asks users to type in their credit card credentials – which are then sent to fraudsters' server.

The hackers moved on to creating phishing web-sites for Russian and Ukrainian banks, collecting online banking accounts credentials, as the Trojan would switch the original window to a phishing window where again the user would type in their sensitive information for it to be immediately sent to the fraudsters, giving them logins, passwords and access to all SMS-messages. Forbes reports that Svpeng had infected as many as 350,000 Google devices last year and that the gang had stolen some 50 million rubles (almost £700,000).  In June last year, Kaspersky warned that Svpeng is increasingly being used outside Russia, particularly in English speaking territories, especially the US and UK.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews