Industry News

Nazi-loving Android malware suspects arrested in Russia

Russian police have arrested five men in connection with an organised criminal attempt to steal money from online banking customers using an Android trojan horse.

The men, who computer crime authorities in the country claim have confessed their involvement in the scheme, are alleged to have stolen up to 50 million rubles ($930,000) with their malware.

Amongst those arrested is said to be the 25-year-old suspected author of the Svpeng banking malware (detected by Bitdefender products as Android.Trojan.Svpeng.A).

Security firm Group-IB, who assisted the Russian authorities with the investigation, claimed that the malware was initially distributed via spammed out SMS messages, containing a link to a boobytrapped version of Adobe Flash Player.

svpeng-fake-flash

Post-infection, the Svpeng Android malware had a variety of dirty tricks up its sleeve:

Firstly, the malware can display fake login pages for online banks, and pass phished login details and passwords onto the hackers.

The hacker can attempt to transfer money from the victim’s account to one under his control using SMS banking services. The malware can intercept any messages sent by the bank to the infected Android smartphone (hiding it from the genuine account owner), and thus grab the confirmation code required to confirm the payment.

According to a Forbes report, the malware may not have just been interested in targeting banking customers in Ukraine and Russia, but also appeared to scan for Western banking apps such as Citi, Amex and Wells Fargo.

Interestingly, the malware was capable of displaying bogus official-looking warnings on victims’ Android devices, claiming to be FBI notifications that the device has been “locked” due to its owner visiting pornographic websites.

The fake ransomware warnings went on to demand a $200 penalty be paid to ensure that the device’s returned to normal working order.

In addition, according to security firm Group-IB, who assisted the Russian authorities with the investigation, the Svpeng trojan can trick users into entering their credit card information into a phishing window rather than the genuine Google Play interface used to make app purchases.

These stolen details can then be abused by the criminals to line their own pockets.

Russia’s Ministry of the Interior made details of the arrest public via a statement on its website, published over the weekend, although it is understood that the police swooped on the gang on March 24th.

Computers, mobile phones, credit cards and other technical equipment were seized by the authorities during searches of the suspects’ houses, and the gang’s “Fifth Reich” admin console uncovered, which allegedly helped them manage the hijacked devices.

svpeng-console

As you can see, the “Fifth Reich” admin console gives the hacker access to statistics about how many devices are compromised, and their whereabouts. It is also replete with Nazi iconography.

Charming…

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.