Russian law enforcement has made 50 arrests in connection with a five-year operation to steal three billion rubles (just shy of $45 million USD) from the country’s largest bank, Sberbank.

The hackers are alleged to have exploited websites, including popular news sites, to infect victims with the Lurk Trojan, a downloader that grabs more malware from the attackers’ servers.

Lurk is injected into memory, making it difficult to detect and analyze. Further, the attackers used compromised VPN connections to hide their traces.

Researchers at Kaspersky Lab worked with law enforcement and bank officials to support the arrests.

“We realized early on that Lurk was a group of Russian hackers that presented a serious threat to organizations and users. Lurk started attacking banks one-and-a-half years ago; before then its malicious program targeted various enterprise and consumer systems,” said Ruslan Stoyanov, head of computer incidents investigation at Kaspersky Lab. “Our company’s experts analyzed the malicious software and identified the hacker’s network of computers and servers. Armed with that knowledge the Russian Police could identify suspects and gather evidence of the crimes that had been committed. We look forward to helping to bring more cybercriminals to justice.”

The arrests were announced the same day researchers at security company Zscaler disclosed their analysis of a malicious Android application posing as the Sberbank mobile app. The malicious app steals credentials and requests extensive privileges on compromised devices.

The app is worrisome because it can steal SMS messages and monitor incoming calls, two avenues by which banks send one-time passwords and PINs used as a second authentication factor.

The malware uses an overlay technique to steal credentials that victims enter via the legitimate app.

“Even if the victim tries to access the original app, the malware will forcefully present its own fake login screen to the victim,” Zscaler said in its report. “Once the user enters their login details, they are sent to Command & Control (C&C) server.”

The malicious app also has overlays for third-party apps the user is likely to have on their phone, including secure messaging app WhatsApp, the Google Play app and the VTB 24 banking app.

“The fake login pages fetched from those URLs have the same representation as the original ones,” Zscaler said. “Once the user enters their credentials, they are sent to C&C server and the same functionality of displaying technical error is implemented.”

The hackers also took a unique approach to maintain persistence.

“[The app] registers a broadcast receiver that triggers whenever the victim tries to remove administrator rights of the malware app, locking the android device for a few seconds. As a result, it is not possible to uninstall this malicious app by revoking admin rights,” Zscaler said. “The only option left with the victim is to reset the device to factory settings. This again will lead to more data loss for the victim.”