Alleged 'Nazi' Android FBI Ransomware Mastermind Arrested In Russia

The Russian Ministry of Internal Affairs has announced the arrest of a 25-year-old, believed to be the creator of a particularly harmful strain of Android money-stealing malware, known as Svpeng, that had infected as many as 350,000 Google devices last year. Four other suspects thought to be members of the cybercriminal gang, who were said to have a penchant for Nazi iconography, were also detained.

Russian police were particularly concerned about the campaign, as it had robbed citizens of as much as 50 million rubles ($930,000), with Sberbank, the largest bank in the country, picking up on attacks in 2013 before aiding the investigation. But Android users in the US, UK and Europe were also hit hard by Svpeng. In June last year, Kaspersky warned Svpeng was increasingly turning its gaze away from Russia, noting that more than 91 per cent of attacks targeting English-language users were based in the US and the UK.

The malware had developed to become one of the most surreptitious and effective penny-pilfering Android malware types around, using multiple techniques to nab banking credentials. Originally, it sought to steal funds from victims by opening a new window every time a target launched Google Play, asking them to type credit card credentials, which would be sent to the hackers’ servers. Later, when targeting westerners, Svpeng threw FBI penalty notification letters up on targets’ screens during web browsing, claiming the user had been looking at illegal pornographic material, demanding $200 in the form of Green Dot’s MoneyPak cards - a kind of attack known as ransomware. It would block access to the device, making it completely unusable.

The malware was distributed via SMS texts containing a fake link for Adobe Flash Player that would in fact download the Trojan. It also scanned for specific American banking apps, including those from Citi, Amex, Wells Fargo , Bank of America and Chase. Though there was no evidence of what the app actually did after scanning for those software, the Svpeng gang were likely planning to carry out a similar attack to that targeting Google Play, throwing up a fake page asking for credit card details - a criminal technique known as phishing.

The operation took place on 24 March but was only revealed over the weekend. Another four suspects were arrested, all in the Chelyabinsk region. No names were revealed. The Russian Ministry of Internal Affairs indicated the five had offered confessions. “Work is underway to establish the involvement of these persons to dozens of similar offenses,” the body said in an announcement.

Group-IB, a Russian intelligence firm that helped law enforcement put together the Svpeng case, said the hackers had named their control software for Svpeng “The Fifth Reich” and were using Nazi symbols in the management system (see top image). It had labelled the Svpeng crew “The Fascists”.

The intel body, based in Moscow, told FORBES it started the operation at the behest of Sberbank in 2013. According to Dmitry Volkov, cybercrimes investigation division leader at Group-IB, his team of analysts uncovered the nicknames of the hackers on underground forums and within three months knew who the author was, working alongside him undercover.