Russian cops have arrested two mobile botnet cybercrime suspects as part of an ongoing investigation that's reckoned to be the first of its kind in Russia.
The unnamed duo, aged 25 and 24 and both resident in Arkhangelsk (a city in the north of European Russia) were arrested as part of an investigation into attempts to defraud customers of Sberbank using Android-based malware.
One of the attackers was held on remand for two months, while the other was placed under house arrest, according to Group-IB, a Russian computer forensics firm closely involved in the investigation.
Group-IB assisted Directorate K of the Russian Ministry of Internal Affairs to "investigate and suppress" the activities of a banking fraud gang linked to the alleged scam. The arrest - described as the first of their kind in Russia by Group-IB, relate to a series of attacks that began last year, as Group-IB explains.
Towards the end of 2013, the security service of Sberbank detected a cyber attack on owners of Android smartphones. The attackers infected the phones with malicious software through mass mailing of MMS messages from "RomanticVK" or "VK_Gift" with the promise of a "romantic gift". When the unsuspecting users clicked the links, virus was downloaded on their phones.
The virus recharged the mobile phone account from a bank account linked to that mobile number. After that, it used SMS service to withdraw the funds to the account of other subscribers of mobile operators and electronic payment systems.
The first wave of the attack was successfully repelled thanks to rapid response by the security division of Sberbank and interaction with mobile operators. The mailing containing the virus was blocked, while the Bot-Trek service, developed by Group-IB, detected compromised devices. A well-coordinated work by the security services of Sberbank and Group-IB helped in gathering materials and evidence for law enforcement agencies.
After a short pause, the attackers resumed their illegal activity, having improved the malware. This time around, their actions were documented by the law enforcement agencies.
Investigations led to the detention of two residents of Arkhangelsk.. and a criminal case was filed against them.
"At a request by Sberbank, Group-IB provided support to the investigations in all the stages," explained Ilya Sachkov, chief exec of Group-IB. "Our security incident response center CERT-GIB closely monitored and promptly blocked new malicious resources. Computer hardware seized from the criminals during the arrest was sent to Group-IB's forensic lab for investigation and additional evidence".
Investigators are working on the theory that the main suspect in the case made his bones back in 2010 as a malware developer and owner of a mobile payment aggregator site. "The skills gained in working with mobile platforms enabled him to quickly create a large botnet of mobile devices. The attacker was known on the Internet as 'ItBill' and 'tripfon', according to Group-IB.
Moscow-based Group-IB specialises in preventing and investigating high-tech cyber crimes and fraud. The firm offers a range of security auditing and computer incident response services, including computer forensics for Russian law enforcement. Sberbank is a Russian government-owned bank. ®