Spanish police have arrested a Russian programmer suspected of developing the Neverquest banking Trojan, a malware targeting financial institutions across the world.
The 32-year-old Russian citizen known as Lisov SV was arrested at the Barcelona airport, Spain’s law enforcement agency Guardia Civil said on Friday.
The FBI had been working with Spanish authorities to track down the suspect through an international arrest warrant, according to a statement from the agency. The FBI, however, declined to comment on the man’s arrest.
Neverquest is designed to steal username and password information from banking customers. Once it infects a PC, the malware can do this by injecting fake online forms into legitimate banking websites to log any information typed in. It can also take screenshots and video from the PC’s desktop and steal any passwords stored locally.
Once the credentials are stolen, Neverquest can use the infected PC to secretly log back into the customer’s online banking account. It can then access the victim’s funds and transfer the money out.
In 2013, antivirus vendor Kaspersky Lab discovered the malware being advertised in black market forums. It’s since been found preying on the banking sites of 100 to 200 financial institutions, and it has features built in making it hard for security researchers to track.
On Friday, Spanish authorities said the malware has resulted in financial losses from victims of about US$5 million. Lisov is suspected of creating NeverQuest and then using servers to administer the malware.
One such server contained files with millions of stolen login credentials from financial website accounts.
The arrested suspect’s full name is Stanislav Lisov, according to Russian news agency TASS, and he was arrested on Jan. 13. Russian diplomats have sent a request to Spanish authorities to learn more about the charges against Lisov.
If Lisov is indeed behind Neverquest, his arrest may stop or slow down the malware’s spread. Last August, IBM Security said Neverquest was the most active financial malware in the world.