Russian police remove a malware gang that has infected more than 800,000 Android smartphones

Russian authorities have arrested members of the TipTop cybercrime group, who have reportedly infected more than 800,000 Android smartphones with malware since 2015.

The group operated by renting Android banking Trojans on hacking forums, which they then hid in Android apps distributed through search engine ads and third-party app stores.

TipTop has been active since 2015 and operators earn between $ 1,500 and $ 10,500 in daily profits, according to Group-IB, the cyber security firm that helped the Russian authorities trace gang members.

TipTop mainly used a banking Trojan Hqwar

The group's favorite malware was the banking Trojan Hqwar (Agent.BID), which they had rented and used in most of their campaigns.

Hqwar is able to read SMS, record phone calls and launch USSD requests. However, its primary function is to display fake login screens over legitimate banking applications and steal login credentials from victims.

Group-IB said that TipTop had temporarily stopped distributing Hqwar in 2016, while they were experimenting with its competitors, such as Asacub (Honli), Cron and CatsElite (MarsElite), but that they had returned there in 2017 when they used it alongside the Lokibot and Modernized Walking. (Rahunok) Trojans.

In 2017, Kaspersky ranked Hqwar as the fourth most popular Android malware. A year later, Kaspersky cited Hqwar as one of the root causes of the sudden rise in the number of Android mobile banking trojans, with Asacub.

In all these areas, the TipTop group has played a major role in spreading its malware through third-party app stores and search engine ads leading to Trojan horse downloadable websites, hidden in various Android apps that users had to load simultaneously on their phone. .

TipTop group targets Russian users

Group-IB said the group mainly targeted Russian bank customers, allowing local authorities to focus more.

A breakthrough came earlier this year when Group-IB found one of TipTop's members at a 31-year-old man from Krasnoyarsk city, Russia.

The suspect was one of TipTop's "Money Mules", a responsible member who siphoned off victims' money and transferred the funds to TipTop's main account.

After his arrest earlier this year, a Russian court sentenced the man to a two-year suspended sentence.

Although official documents and statements do not mention the fact that the suspect is collaborating with the authorities, officials of the Russian Interior Ministry said that they had also made other arrests. with the help of information collected, and that other suspects were currently under investigation.

A video of the arrest of the man is available below. Group-IB ranked TipTop as one of the largest malware gangs operating in Russia following the dismantling of Cron, another case in which the company's experts played a crucial role in helping authorities identify gang members.