GriftHorse Malware

A newly discovered “aggressive” mobile campaign has infected north of 10 million users from over 70 countries via seemingly innocuous Android apps that subscribe the individuals to premium services costing €36 (~$42) per month without their knowledge.

Zimperium zLabs dubbed the malicious trojan “GriftHorse.” The money-making scheme is believed to have been under active development starting from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S.

Automatic GitHub Backups

No fewer than 200 trojan applications were used in the campaign, making it one of the most widespread scams to have been uncovered in 2021. What’s more, the malicious apps catered to a varied set of categories ranging from Tools and Entertainment to Personalization, Lifestyle, and Dating, effectively widening the scale of the attacks. One of the apps, Handy Translator Pro, amassed as much as 500,000 downloads.

“While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection,” Zimperium researchers Aazim Yaswant and Nipun Gupta said in a report shared with The Hacker News.

“These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent.”

GriftHorse Malware

Like other banking trojans, GriftHorse does not exploit flaws in the Android operating system, but rather socially engineers users into subscribing their phone numbers to premium SMS services upon downloading the apps.

Enterprise Password Management

Following a successful infection, the victims are bombarded with deceptive alerts promising a free “GIFT” that, when clicked, redirect them to a geo-specific webpage to submit their phone numbers for verification. “But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month,” the researchers said.

Following responsible disclosure to Google, the apps have been purged from the Play Store. But they continue to be available on untrusted third-party app repositories, once again underscoring the risks associated with sideloading arbitrary applications and how they can emerge as an intrusion route for malware.

“Overall, GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens,” Yaswant and Gupta concluded.