Arrest footage

Russian authorities have arrested the Cron malware gang, responsible for selling the Cron Android banking trojan and the PonyForx Windows infostealer.

The investigation was of massive proportions and authorities arrested over 16 individuals in six different Russian regions between November 2016 and April 2017.

Details about the arrest became public yesterday via a statement from Russian police and Group-IB, a cyber-security firm based in Russia, which helped during the investigation.

Cron group started operating in mid-2015

The Cron malware gang began operations in mid-2015 when they started distributing the Cron Android banking trojan via third-party app stores.

The crooks disguised the trojan as copies of official banking apps, or inside other apps, such as Navitel, Framaroot, Pornhub, Avito, and others.

Once users installed these apps on their devices, the malware hidden inside them granted the group the ability to phish banking credentials and two-step verification codes from the user's device by intercepting SMS messages.

The Cron malware allowed crooks to take over bank accounts using the user's Android device, and siphon money from victims in small transactions of $120 on average.

The group used the Cron banking trojan to target customers of Russian banks.

Their intrusive malware campaigns caught the attention of Group-IB researchers and Russian authorities, who began an investigation into the group's operation.

Cron group advertised malware on underground hacking forums

Their biggest mistake was when, on April 1, 2016, they published an ad on a Russian-speaking forum, advertising their Android banking trojan. This gave Group-IB researchers an initial clue of who was behind the wave of Cron infections.

Cron group ad, April 2016
Cron group ad, April 2016 [Group-IB]

According to Group-IB, the ad's purpose was to find one collaborator to expand their original team, which already featured various individuals in roles of money mules, cryptors, traffickers, and other.

Two months later, driven by the success they had in their home country, the group decided to expand operations in other countries. To do this, the group rented access to a more powerful Android banking trojan named Tiny.z, rented on underground hacking forums for $2,000 per month. Images of the Tiny.z malware backend panel are below.

Backend panel for Tiny.z banking trojan

Backend panel for Tiny.z banking trojan

 

According to Tiny.z's features, the trojan was capable of targeting customers of banks in the US, the UK, Germany, France, Turkey, Singapore, Australia, and other countries.

Cron group was behind Ponyforx malware

In September 2016, French security researcher Kafeine spotted another ad from the Cron gang, this time for the Ponyforx malware, an infostealer trojan targeting the Windows platform, and based on the more popular Pony malware.

In their ad, the group referred to this infostealer as "Fox stealer v1.0". Ponyforx is how security researchers tracked the malware before the ad's appearance.

However, the group didn't have time to proliferate this new tool because by November 2016, Russian police, with support from Group-IB, had already tracked down group members and started making arrests.

In total, 16 members, including the Cron group leader, were detained in the Russian provinces of Ivanovo, Moscow, Rostov, Chelyabinsk, Yaroslavl, and Republic of Mari El. The last arrest took place in April when police arrested a man in Sankt Petersburg.

Cron group made $900,000 just in Russia alone

In a press release, the Russian Ministry of Internal Affairs said the group made over 50 million rubles ($0.9 million) from operating the Cron Android banking trojan in Russia alone.

Group-IB says crooks infected over one million Android devices in Russia alone, were making over 3,500 new victims per day and used over 6,000 bank accounts to launder their proceedings. Furthermore, at the time of their arrest, the Cron group was preparing to launch a campaign using the Tiny.z trojan against users of French banks

The video below contains footage from the 20 raids conducted by Russian authorities.

The article was updated to reflect that the Cron group created the Cron malware, and only rented the Tiny.z malware from another group. An initial version of this article stated that the group also created the Tiny.z malware. Bleeping Computer regrets the error.