{
	"id": "e2a2f97c-df2f-4b61-8de2-09bbc7c028a8",
	"created_at": "2026-05-01T03:09:34.922461Z",
	"updated_at": "2026-05-01T03:10:50.754226Z",
	"deleted_at": null,
	"sha1_hash": "64ad0f33d8b30dc5ea310067ebee0bdbf581dd42",
	"title": "Cron has fallen",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 636771,
	"plain_text": "Cron has fallen\r\nArchived: 2026-05-01 02:21:54 UTC\r\nA black police vehicle, UAZ Patriot, is accelerating, chasing a cherry Renault Logan and forcing it to the roadside.\r\nThe taxi driver in the Logan seems agitated, frightened even, accelerates quickly while shifting into higher gears.\r\nIt has gotten dark; both cars speed close to the side of the road sweeping bushes. “Be ready to run,” one of the\r\nofficers warns his colleagues. “He’s going to brake and flee over the fence.” When the Logan finally stops, the\r\nofficers act faster: with the entry team jumping out, pulling the passenger from the back seat and laying him face\r\ndown in the snow.\r\nThis taxi passenger is a member of Cron, a hacker group that stole money from bank accounts of Android\r\nsmartphone users. The hackers infected 3,500 mobile devices per day during the height of their operations. In\r\ntotal, infecting over 1 million devices!\r\nAndroids under attack\r\nGroup-IB first learnt about Cron in March 2015: Group-IB’s Threat Intelligence system tracked the activity of a\r\nnew criminal group that was distributing malicious programs named “viber.apk”, “Google-Play.apk”,\r\n“Google_Play.apk” for Android OS on underground forums. The hackers called this malware “Cron”, hence\r\nthe logic for our naming convention of the group. Cron targeted users of large Russian banks in the Top 50\r\nstanding – all of their SMS banking services were under siege during cron’s operations.\r\nAccording to statistics from the Russian Central Bank, 20% of the adult population in the country used mobile\r\nbanking in Russia. Smartphones have become the new mobile wallet – this trend was capitalized on by cyber\r\ncriminals. In 2015, 10 new hacker groups started stealing money using mobile Trojans, and the number of\r\nincidents tripled!\r\nTrojans for mobile phones and tablets have finally replaced PC Trojans. According to 2015 year-end results, losses\r\nof online banking users from attacks employing Android Trojans amounted to over $1 million (61 million rubles).\r\nWhy are hackers choosing Android users as a key attack target? Easy. Almost 85% of smartphones run Android\r\nOS worldwide making them an attractive target for cyber criminal groups.\r\nIt is no longer necessary to be a virus writer to steal money from users of Internet banks – ready-to-use malware\r\ncan be easily purchased or rented on hacker forums. The Cron organizers had already been convicted of\r\nvarious crimes before their hacker attacks. It comes as no surprise that experienced criminals become hackers.\r\nhttp://blog.group-ib.com/cron\r\nPage 1 of 7\n\nOnce Group-IB investigated activity of a hacker who earned up to $20 million per month through thefts in online\r\nbanking.\r\nCron’s attack scheme\r\nThe approach was rather simple: after a victim’s phone got infected, the Trojan could automatically transfer\r\nmoney from the user’s bank account to accounts controlled by the intruders. To successfully withdraw stolen\r\nmoney, the hackers opened more than 6 thousand bank accounts.\r\nAfter installation, the program added itself to the auto-start and could send SMS messages to the phone\r\nnumbers indicated by the criminals, upload SMS messages received by the victim to C\u0026C servers, and hide\r\nSMS messages coming from the bank.\r\nEvery day Cron malware attempted to steal money from 50-60 clients of different banks. An average theft was\r\nabout 8,000 rubles ($100). According to crime investigators, the total damage from Cron's activity amounted to\r\napproximately $800 000 (50 million rubles).\r\nThe gang applied several infection vectors\r\n1. Spam SMS messages with a link to a website infected with the banking Trojan. The message was of\r\nthe following form: “Your ad is posted on the website ….“, or “your photos are posted here.” After the user\r\nvisits the compromised website, the malware will be downloaded on the device, tricking the victim to\r\ninstall it.\r\n2. Infected applications. The victim could install the malicious program on the phone by downloading fake\r\napplications masked as legitimate ones. The Trojan is distributed under the guise of such applications as\r\nNavitel; Framaroot; Pornhub; Avito.\r\nThus, Cron managed to infect over 1 million mobile devices. The gang infected 3,500 devices on average daily.\r\nIn April 2016, an announcement about the lease of a mobile Trojan called cronbot appeared on a hacker\r\nforum. According to its description, the Trojan had the functionality to intercept SMS messages and calls, send\r\nUSSD requests, and perform web injections. We assumed that the criminal group decided to recruit a new member\r\nto the team, because according to the author of the announcement, they were ready to provide the Trojan to one\r\nperson only. At the time, the group consisted of the organizers, operators, “cryptors”, “traffickers” and money\r\nmules.\r\nhttp://blog.group-ib.com/cron\r\nPage 2 of 7\n\nAnnouncement about the cronbot Trojan offered for rent\r\nPlans for France\r\nHaving earned money in Russia, Cron decided to expand throughout the world. In June 2016 the criminals rented\r\na mobile banking Trojan Tiny.z for $2000 per month. This universal tool has capabilities to attack Android devices\r\nof both Russian and international banks’ customers.\r\nControl panel of the Tiny.z mobile Trojan\r\nGroup-IB specialists detected Tiny.z in early 2016. According to analysis of the botnet control panel, this is the\r\nsame panel that was used by the well-known “404” criminal group that actively attacked clients of both Russian\r\nand foreign banks. Purportedly, after the arrest of a “404” member named Foxxx in 2015, Cron modified the\r\nmalicious program.\r\nThe malware authors adjusted this program for attacks on banks of Great Britain, Germany, France, the\r\nUSA, Turkey, Singapore, Australia and other countries. The Trojan scanned the victim’s phone for a banking\r\nhttp://blog.group-ib.com/cron\r\nPage 3 of 7\n\napplication and displayed a universal window with the icon and name of the bank retrieved from Google Play that\r\nprompted the user to enter his personal data.\r\nControl panel of the Tiny.z mobile Trojan\r\nCron planned to start their “international activity” with attacks targeting banks of France. They developed\r\nspecial web injections for the following French financial institutions: Credit Agricole, Assurance Banque, Banque\r\nPopulaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.\r\nHowever, by November 2016, Russian legal enforcement with support from Group-IB had managed to identify all\r\nmembers of the group and collect digital evidence of the crimes committed. On November 22, 2016, a large-scale\r\noperation was carried out in 6 Russian regions: 16 Cron members were detained. The last active member of the\r\ngroup was detained in early April in St. Petersburg.\r\nNever miss a story on Russian-speaking cyber criminals — follow Group-IB on Twitter and LinkedIn.\r\nhttp://blog.group-ib.com/cron\r\nPage 4 of 7\n\nFigure 5. Photos from the police arrests\r\nhttp://blog.group-ib.com/cron\r\nPage 5 of 7\n\nFigure 5. Photos from the police arrests\r\nhttp://blog.group-ib.com/cron\r\nPage 6 of 7\n\nFigure 5. Photos from the police arrests\r\nHow to avoid becoming a victim of an Android Trojan\r\n1. Android users are particularly vulnerable to security threats and should be extremely cautious.\r\nDo not click on URLs in emails or social media communications, even when coming from your friends or\r\ncolleagues. They can be hacked. Only download mobile applications from the official website or app store\r\ndirectly.\r\n2. Keep your smartphone up.\r\nExperts strongly urge you not to root your Android device and to update the firmware in a timely manner,\r\nbecause updates usually contain security patches. Install a modern Internet security solution on your device\r\n– this minimizes the risks.\r\n3. Do not hesitate to contact bank specialists for assistance.\r\nIn the event of any suspicious activity related your bank account, alleged theft or fraud, immediately\r\ncontact your bank.\r\nSource: http://blog.group-ib.com/cron\r\nhttp://blog.group-ib.com/cron\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.group-ib.com/cron"
	],
	"report_names": [
		"cron"
	],
	"threat_actors": [],
	"ts_created_at": 1777604974,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64ad0f33d8b30dc5ea310067ebee0bdbf581dd42.pdf",
		"text": "https://archive.orkl.eu/64ad0f33d8b30dc5ea310067ebee0bdbf581dd42.txt",
		"img": "https://archive.orkl.eu/64ad0f33d8b30dc5ea310067ebee0bdbf581dd42.jpg"
	}
}