Russian authorities have arrested members of the TipTop cybercrime group, believed to have infected more than 800,000 Android smartphones with malware since 2015.
The group operated by renting Android banking trojans from underground hacking forums, which they later hid inside Android apps distributed via search engine ads and third-party app stores.
TipTop has been active since 2015, and operators have been making between $1,500 and $10,500 in daily profits, according to Group-IB, the cyber-security firm who helped Russian authorities track down the gang’s members.
TipTop primarily used Hqwar banking trojan
The group’s favorite malware was the Hqwar (Agent.BID) banking trojan, which they rented and used in most of their campaigns.
Hqwar is capable of reading SMS messages, recording phone calls, and initiating USSD-requests. However, it’s primary function is to show fake login screens on top of legitimate banking apps, and steal victims’ login credentials.
Group-IB said TipTop temporarily stopped distributing Hqwar in 2016, when they experimented with its competitors, such as Asacub (Honli), Cron, and CatsElite (MarsElite), but returned to it in 2017 when they used it alongside the Lokibot and modernized Marcher (Rahunok) trojans.
In 2017, Kaspersky ranked Hqwar as the fourth most popular Android malware. A year later, Kaspersky cited Hqwar as one of the root causes in the sudden jump in the number of Android mobile banking trojans, together with Asacub.
In all of this, the TipTop group played a major role, distributing their malware via third-party app stores and search engine ads leading to websites offering the trojan for download, hidden inside various Android apps that users had to side-load on their phones.
TipTop group targeted Russia users
Group-IB said the group primarily targeted the customers of Russian banks, which, in turn, led to an increased focus from local authorities.
A breakthrough came earlier this year when Group-IB tracked down one of the TipTop members to a 31-year-old man from the city of Krasnoyarsk, Russia.
The suspect was one of the TipTop “money mules,” a member responsible with siphoning money from victims and transferring the funds to the main TipTop accounts.
After his arrest earlier this year, yesterday, a Russian court sentenced the yet-to-be-named man to a two-year suspended prison sentence.
While official documents or statements don’t mention anything about the suspect collaborating with authorities, officials from the Russian Ministry of Internal Affairs said they also made other arrests with the information gathered from this case, while other suspects are under investigation.
A video of the man’s arrest is available below. Group-IB ranked TipTop as the largest mobile malware gang operating in Russia after the takedown of Cron, another case in which the company’s experts played a crucial role by helping authorities identify gang members.