Security researchers at Zimperium have discovered a year-long malware campaign that involved hackers using a trojanized malware dubbed GriftHorse to infect over ten million Android devices. The hackers were using the malware to conduct mobile-based billing fraud and subscription fraud to con more than 10 million Android users out of their money.
Researchers at mobile security company Zimperium uncovered the malicious campaign that has been active since November 2020. The campaign involves the use of a malware trojan that spreads surreptitiously through fraudulent mobile apps available on the Google Play Store as well as third-party stores.
Dubbed GriftHorse by researchers Aazim Yaswant and Nipun Gupta, the trojan has so far been used to victimize more than 10 million Android users across the world. Developers of GriftHorse are using it as a fleeceware, which is a type of malware used specifically to overcharge users with excessive subscription fees.
The hackers are leveraging GriftHorse to carry out premium service scams and mobile-based billing fraud. This means infiltration aside, GriftHorse operations also amount to financial crimes. Zimperium estimated the total amount stolen as part of the campaign to be “well into the hundreds of millions of Euros.â€
“The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions,†Yaswant and Gupta noted.
The GriftHorse Attack Vector
GriftHorse was embedded in more than 200 mobile apps. Downloading and installing any of these infected apps results in users being continuously targeted with screen alerts or notifications, requesting them to claim a prize they’ve just won. The frequency is generally five notifications pop-ups per hour until the user accepts it.
GriftHorse Notification | Source: ZimperiumOpens a new window
Once accepted, victims are redirected to a webpage where they’re prompted to submit their phone numbers for verification. Threat actors shrewdly leveraged the IP-based location to deliver this webpage in the regional language, thus involving a certain degree of social engineering in the overall scheme.
Region-Specific Fraud Webpages for Egypt and Greece | Source: Zimperium
See More: Google’s Built-In Defense Tool for Android is Actually Pointless: AV-TEST Report
This is where the fraud takes place. The user verification via phone number is actually a ploy to subscribe them to a premium SMS service. Charges vary between €30 to €36 ($34.79 to $41.75) per month.
The researchers said, “These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering / serving the malicious payload based on the originating IP address’s geolocation.†As a result, any security team, let alone an ordinary user, may have missed the malware/trojan, even with dynamic analysis on network communication.
It can take months for the victim to detect the fraud and chances of getting their money back is even slimmer.
Which Apps Are Infected?
Google has put in a lot of effort, in association with the security research community, to keep malicious and fraudulent apps away from the Play Store for years. However, hackers are adept at using new tricks and techniques to bypass Play Store protections to sneak in malicious apps from time to time. In the recently-discovered campaign, researchers found that hackers not only infiltrated apps inside the Play Store, they also leveraged third-party app stores to propagate the malware. So much so that apps laden with the trojan are still available on third-party stores.
Nevertheless, the fact that several app stores were used to spread the malice indicates that the threat actors took great care not to be discovered, either by targeted users or anyone else. It also paints a vivid picture of the risks of sideloading applications, especially when devices aren’t protected. Over-reliance on Google Play Store protections may also not work out every time.
Threat actors also used a variety of different application categories to target users with varied interests. The biggest category is Tools followed by Entertainment, and Personalization. A complete breakdown is given below:
GriftHorse App Type Infections | Source: Zimperium
Users need to be wary of the tricks threat actors employ to carry out scams. More importantly, there need to be checks and balances in place to detect malicious activity. For example, telecom carriers can authenticate whether an authenticated user is knowingly subscribing to their service.
The threat actors behind the campaign remain unknown as of now. The technical analysis of the GriftHorse campaign is detailed by Zimperium hereOpens a new window , along with the list of compromised apps that should be promptly uninstalled.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!