Security Experts:

50 Hackers Using Lurk Banking Trojan Arrested in Russia

Law enforcement officers have arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab.

The hackers had been stealing money from bank accounts in Russia and other countries of the CIS through use of the malicious software known as Lurk. Lurk is an Android trojan that mimics the online banking app for Sberbank, Russia's largest bank. "It displays a similar login screen to the original app and steals user credentials as soon as the victim tries to authenticate," reports Zscaler in an analysis published on the same day as the arrests. It can also steal SMS messages and monitor incoming calls in order to defeat one-time passwords and PINs sent by banks as a second authentication factor.

Once Lurk has been installed it is difficult to detect or remove. Visually there is no difference between the Sberbank app and the Lurk trojan. Technically it is difficult to detect because it resides in memory. For persistence, "It registers a broadcast receiver that triggers whenever the victim tries to remove administrator rights of the malware app, locking the android device for a few seconds. As a result, it is not possible to uninstall this malicious app by revoking admin rights."

About 18 months ago Lurk began to attack Russian banks. It had previously been used against enterprise and consumer systems. Ruslan Stoyanov, head of computer incidents investigation at Kaspersky Lab, said in a statement yesterday, "Our company’s experts analyzed the malicious software and identified the hacker’s network of computers and servers. Armed with that knowledge the Russian Police could identify suspects and gather evidence of the crimes that had been committed."

Sberbank is the only bank mentioned by Kaspersky, although it notes, "The malicious app also has overlays for third-party apps the user is likely to have on their phone, including secure messaging app WhatsApp, the Google Play app and the VTB 24 banking app." Tass reports, however, that six Russian banks fell victim to cyber criminals during March and April of this year. About $10.2 million was stolen from Metallinvestbank. "Cybercriminals obtained remote access to Metallinvestbank’s systems and transferred funds to accounts under their control," says Tass.

There is some confusion over exactly how much has been stolen from which banks over what period. Kaspersky Lab describes "a five-year operation to steal three billion rubles (just shy of $45 million USD) from the country’s largest bank, Sberbank." It also adds that "Lurk started attacking banks one-and-a-half years ago."

Tass reports that no money was stolen from Sberbank, but that an FSB spokesperson had said, "the perpetrators have stolen more than 1.7 billion rubles ($25.7 mln) from accounts of Russian financial institutions." It also adds that the Interior Ministry puts the figure at $45 million: "The damage caused by persons suspected of cybercrimes in Russia has exceeded 3 billion rubles ($45 million), Interior Ministry spokeswoman Irina Volk told TASS on Wednesday."

What isn't contested, however, is that Kaspersky Lab assisted the Russian authorities in locating and arresting some 50 hackers that had been using the Lurk trojan on a massive scale.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.