A nefarious Android trojan, called GriftHorse and hidden in an agressive mobile premium services campaign has stolen hundreds of millions of Euros. The discovery comes from Zimperium zLabs researchers who discovered the trojan has been using malicious Android applications to leverage user interactions for wider spread reach and infection.
“These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent,” the report revealed.
GriftHorse Android Trojan Spreading Since November 2020
Forensic evidence points that GriftHorse threat actor has been running its operation since November 2020. Not surprisingly, the involved malicious Android apps were distributed through Google Play, but third-party app stores were also leveraged. Following a disclosure to Google, the company removed the malicious apps from the Play Store. The bad news is that the apps are still available for download on third-party app repositories.
GriftHorse Android Trojan Impact and Capabilities
The malicious operation has been targeting users from more than 70 countries by serving malicious pages based on their geo-location and local language. This is a very successful social engineering tactic, since users tend to feel more comfortable sharing information to a website in their language, the researchers pointed out.
Once infected, the Android device is “bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.” What is more interesting is that the pop-ups will continue to appear until the user successfully accepts the offer. Once the invitation to accept the prize is finalized, the malware redirects the victim to a geo-specific webpage inviting them to reveal their phone numbers.
“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back,” the researchers said.
In a technological perspective, the GriftHorse trojan is developed using Apache Gordova, a mobile app development framework. The platform allows developers to use standard web technologies, such as HTML5, CSS3, and JavaScript for cross-platform mobile development. Furthermore, the framework allows developers to release updates to their apps without requiring manual efforts from the user.
More than 10 million Android users have been tricked by this campaign globally, resulting in enormous financial losses for the victims and quite the gain for the cybercriminals.
“And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign,” Zimperium concluded.
Just a couple of days ago, another dangerous Android trojan was revealed by ThreatFabric researchers. Called ERMAC, the malware appears to be coined by the BlackRock cybercriminals and is based on the roots of the infamous Cerberus.
The trojan is already distributed in active campaigns and targeting 378 banking and wallet apps with overlays. The first campaigns were most likely initiated in late August 2021. The attacks have now expanded, including numerous apps such as banking, media players, government apps, antivirus solutions.