Russian police have arrested five men in connection with an organised criminal attempt to steal money from online banking customers using an Android trojan horse.
The men, who computer crime authorities in the country claim have confessed their involvement in the scheme, are alleged to have stolen up to 50 million rubles ($930,000) with their malware.
Amongst those arrested is said to be the 25-year-old suspected author of the Svpeng banking malware (detected by Bitdefender products as Android.Trojan.Svpeng.A).
Security firm Group-IB, who assisted the Russian authorities with the investigation, claimed that the malware was initially distributed via spammed out SMS messages, containing a link to a boobytrapped version of Adobe Flash Player.
Post-infection, the Svpeng Android malware had a variety of dirty tricks up its sleeve:
Firstly, the malware can display fake login pages for online banks, and pass phished login details and passwords onto the hackers.
The hacker can attempt to transfer money from the victim’s account to one under his control using SMS banking services. The malware can intercept any messages sent by the bank to the infected Android smartphone (hiding it from the genuine account owner), and thus grab the confirmation code required to confirm the payment.
According to a Forbes report, the malware may not have just been interested in targeting banking customers in Ukraine and Russia, but also appeared to scan for Western banking apps such as Citi, Amex and Wells Fargo.
Interestingly, the malware was capable of displaying bogus official-looking warnings on victims’ Android devices, claiming to be FBI notifications that the device has been “locked” due to its owner visiting pornographic websites.
The fake ransomware warnings went on to demand a $200 penalty be paid to ensure that the device’s returned to normal working order.
In addition, according to security firm Group-IB, who assisted the Russian authorities with the investigation, the Svpeng trojan can trick users into entering their credit card information into a phishing window rather than the genuine Google Play interface used to make app purchases.
These stolen details can then be abused by the criminals to line their own pockets.
Russia’s Ministry of the Interior made details of the arrest public via a statement on its website, published over the weekend, although it is understood that the police swooped on the gang on March 24th.
Computers, mobile phones, credit cards and other technical equipment were seized by the authorities during searches of the suspects’ houses, and the gang’s “Fifth Reich” admin console uncovered, which allegedly helped them manage the hijacked devices.
As you can see, the “Fifth Reich” admin console gives the hacker access to statistics about how many devices are compromised, and their whereabouts. It is also replete with Nazi iconography.