Home News Russian Police detain TipTop Gang that infected 800,000 Android Devices

Russian Police detain TipTop Gang that infected 800,000 Android Devices


The Russian Police officials recently arrested members of a cybercrime group, dubbed TipTop Group, who have infected more than 800,000 Android phones with malware since 2015. According to Group-IB, a security firm that helped Russian authorities finding hackers, TipTop Group was active since 2015 and making between $1,500 and $10,500 daily.

Group-IB stated the hacker group operated by renting Android Trojans from hacking forums. It’s believed that the group used Hqwar (Agent.BID), a banking trojan, while targeting the customers of Russian banks.

Hqwar malware makes a fake login screen to appear on original banking apps to steal victims’ login credentials. The malware is also able to monitor the victim’s SMS messages, phone calls, and USSD-requests.

“This group received the working name TipTop. Its main goal was the clients of large Russian banks — users of smartphones running Android. To infect phones, the attackers disguised malware under the mobile applications of well-known banks from the TOP-10, as well as under the Viber messenger, the Google Play application store or Adobe graphics applications. Cybercriminals placed links to them on their own resources or hacked legitimate sites. To increase the number of victims, cybercriminals redeemed ads in search engines for “mobile bank” and placed links to their resources there,” said Sergey Lupanin, the Head of Investigation at Group-IB.

Recently, Russia suffered a hacking attack that compromised the country’s Federal Security Service (FSB). According to the official statement, hackers allegedly gained access to 7.5 terabytes of data from a major contractor Sytech. The incident exposed FSB’s secret projects like how Russia is trying to carry out de-anonymization of users of Tor browser collecting information of users’ social networks, and separating the Russian internet operations from the rest of the world.

The attack occurred on July 13, 2019, by an unknown hacking group named 0v1ru $. Hackers allegedly accessed into SyTech’s Active Directory server from where they gained access to the company’s entire IT network and defaced the company’s website with a “yoba face,” an emoji used in Russian for trolling.