Russian police have arrested five alleged members of a cybercrime gang responsible for Android malware that both stole payment card data and locked up smartphones, demanding a ransom, Forbes reported on Monday (April 13).
Russia’s Ministry of Internal Affairs said it arrested five members of the gang on March 24, including the suspected creator of the Svpeng malware strain, which reportedly infected as many as 350,000 Android devices and stole $930,000 in Russia alone. Russia’s largest bank, Sberbank, was an early target of Svpeng, but users in the U.S., U.K. and Europe were also hit starting in 2014.
Authorities didn’t name the suspects, but said the five had offered confessions. “Work is underway to establish the involvement of these persons to dozens of similar offenses,” the Ministry of Internal Affairs said in an announcement.
The Svpeng malware combined payment-card theft and ransomware. Early versions infected Android devices by sending text messages that offered an Adobe Flash Player download; once the user downloaded the software, every time the user opened the Google Play app, the malware popped open windows asking for the user’s payment card information before proceeding. A later version that targeted U.S. and European users blocked access to the phone with a fake notice from the FBI, claiming the user had accessed pornography on the device and demanding a $200 ransom in the form of a Green Dot prepaid card.
Svpeng also scanned for banking apps from Citi, Wells Fargo, Bank of America, Chase and American Express, though nothing in current versions of the malware actually made use of that information.
Moscow-based cybersecurity firm Group-IB, which said it helped law enforcement put together the case against the Svpeng gang, reported that the hackers were fans of Nazi iconography, using swastikas to decorate their malware management software and giving it the name “The Fifth Reich.”
Group-IB told Forbes that it was hired by Sberbank in 2013 to investigate Svpeng-related incidents. A team of Group-IB analysts uncovered the nicknames of the cybergang members on underground forums and had identified the malware’s author within three months and worked alongside him undercover, according to Group-IB cybercrimes investigation division leader Dmitry Volkov. That would mean Group-IB spent a year gathering evidence before the arrests.