{
	"id": "f49e9f84-a814-40d9-a7aa-e8a8a775a58f",
	"created_at": "2026-04-06T00:06:48.20967Z",
	"updated_at": "2026-04-10T03:30:32.903089Z",
	"deleted_at": null,
	"sha1_hash": "a90d655dfa8d409ccfc8e2c6a90466346e877b9b",
	"title": "Cyber Crime Gang Arrested for Infecting Over 1 Million Phones with Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1163740,
	"plain_text": "Cyber Crime Gang Arrested for Infecting Over 1 Million Phones\r\nwith Banking Trojan\r\nBy The Hacker News\r\nPublished: 2017-05-23 · Archived: 2026-04-05 19:37:42 UTC\r\nThe Russian Interior Ministry announced on Monday the arrest of 20 individuals from a major cybercriminal gang\r\nthat had stolen nearly $900,000 from bank accounts after infecting over one million Android smartphones with a\r\nmobile Trojan called \"CronBot.\"\r\nRussian Interior Ministry representative Rina Wolf said the arrests were part of a joint effort with Russian IT\r\nsecurity firm Group-IB that assisted the massive investigation.\r\nThe collaboration resulted in the arrest of 16 members of the Cron group in November 2016, while the last active\r\nmembers were apprehended in April 2017, all living in the Russian regions of Ivanovo, Moscow, Rostov,\r\nChelyabinsk, and Yaroslavl and the Republic of Mari El.\r\nTargeted Over 1 Million Phones — How They Did It?\r\nhttps://thehackernews.com/2017/05/cron-mobile-banking-malware.html\r\nPage 1 of 4\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nGroup-IB first learned of the Cron malware gang in March 2015, when the criminal gang was distributing the\r\nCron Bot malware disguised as Viber and Google Play apps.\r\nThe Cron malware gang abused the popularity of SMS-banking services and distributed the malware onto victims'\r\nAndroid devices by setting up apps designed to mimic banks' official apps.\r\nThe gang even inserted the malware into fake mobile apps for popular pornography websites, such as PornHub.\r\nOnce victims downloaded and installed these fake apps on their devices, the apps added itself to the auto-start and\r\nthe malware hidden inside them granted the hackers the ability to phish victims’ banking credentials and intercept\r\nSMS messages containing confirmation codes sent by the bank to verify the transactions.\r\n\"After installation, the program added itself to the auto-start and could send SMS messages to the phone\r\nnumbers indicated by the criminals, upload SMS messages received by the victim to C\u0026C servers, and\r\nhide SMS messages coming from the bank,\" writes Group-IB.\r\n\"The approach was rather simple: after a victim’s phone got infected, the Trojan could automatically\r\ntransfer money from the user’s bank account to accounts controlled by the intruders. To successfully\r\nwithdraw stolen money, the hackers opened more than 6 thousand bank accounts.\"\r\nThe gang usually sent text messages to the banks initiating a transfer of up to $120 to one of their 6,000 bank\r\naccounts the group set up to receive the fraudulent payments.\r\nThe malware would then intercept the two-step verification codes sent by the bank to confirm the transaction and\r\nblock the victims from receiving a message notifying them about the transaction.\r\nhttps://thehackernews.com/2017/05/cron-mobile-banking-malware.html\r\nPage 2 of 4\n\nCyberthieves Stole $900,000 in the Russia Alone\r\nOn April 1, 2016, the gang advertised its Android banking Trojan, dubbed \"Cron Bot,\" on a Russian-speaking\r\nforum, giving the Group-IB researchers and Russian authorities a clue to their investigation into the group's\r\noperation.\r\nAccording to the security firm, the group stole approximately 8,000 Rubles (nearly $100) from a victim on an\r\naverage, fetching a total amount of 50 Million Rubles (almost $900,000) from more than one million victims, with\r\n3,500 unique Android devices infected per day.\r\nAfter targeting customers of the Bank in Russia, where they were living in, the Cron gang planned to expand its\r\noperation by targeting customers of banks in various countries, including the US, the UK, Germany, France,\r\nTurkey, Singapore, and Australia.\r\nIn June 2016, the gang rented a piece of malware called \"Tiny.z\" for $2,000 per month, designed to attack\r\ncustomers of Russian banks as well as international banks in Britain, Germany, France, the United States and\r\nTurkey, among other countries.\r\nDespite operating only in Russia before their arrest, the gang members had already developed web injections for\r\nseveral of French banks including Credit Agricole, Assurance Banque, BNP Paribas, Banque Populaire,\r\nBoursorama, Caisse d'Epargne, Societe Generale and LCL, Group-IB said.\r\nHowever, before the gang could launch attacks on French banks, the authorities managed to disrupt their\r\noperations by making several arrests, including the gang's founder, a 30-year-old resident of Ivanovo, Moscow.\r\nDuring the raids, the authorities seized computer equipments, bank cards, and SIM cards associated with the\r\ncriminal gang.\r\nhttps://thehackernews.com/2017/05/cron-mobile-banking-malware.html\r\nPage 3 of 4\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2017/05/cron-mobile-banking-malware.html\r\nhttps://thehackernews.com/2017/05/cron-mobile-banking-malware.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2017/05/cron-mobile-banking-malware.html"
	],
	"report_names": [
		"cron-mobile-banking-malware.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434008,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a90d655dfa8d409ccfc8e2c6a90466346e877b9b.pdf",
		"text": "https://archive.orkl.eu/a90d655dfa8d409ccfc8e2c6a90466346e877b9b.txt",
		"img": "https://archive.orkl.eu/a90d655dfa8d409ccfc8e2c6a90466346e877b9b.jpg"
	}
}