Home > Cyber News > GriftHorse Android Trojan Made Hundreds of Millions for Its Operators

GriftHorse Android Trojan Made Hundreds of Millions for Its Operators

GriftHorse Android Trojan Made Hundreds of Millions for Its Operators-sensorstechforum

A nefarious Android trojan, called GriftHorse and hidden in an agressive mobile premium services campaign has stolen hundreds of millions of Euros. The discovery comes from Zimperium zLabs researchers who discovered the trojan has been using malicious Android applications to leverage user interactions for wider spread reach and infection.

“These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent,” the report revealed.

GriftHorse Android Trojan Spreading Since November 2020

Forensic evidence points that GriftHorse threat actor has been running its operation since November 2020. Not surprisingly, the involved malicious Android apps were distributed through Google Play, but third-party app stores were also leveraged. Following a disclosure to Google, the company removed the malicious apps from the Play Store. The bad news is that the apps are still available for download on third-party app repositories.

GriftHorse Android Trojan Impact and Capabilities

The malicious operation has been targeting users from more than 70 countries by serving malicious pages based on their geo-location and local language. This is a very successful social engineering tactic, since users tend to feel more comfortable sharing information to a website in their language, the researchers pointed out.

Once infected, the Android device is “bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.” What is more interesting is that the pop-ups will continue to appear until the user successfully accepts the offer. Once the invitation to accept the prize is finalized, the malware redirects the victim to a geo-specific webpage inviting them to reveal their phone numbers.

“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back,” the researchers said.

In a technological perspective, the GriftHorse trojan is developed using Apache Gordova, a mobile app development framework. The platform allows developers to use standard web technologies, such as HTML5, CSS3, and JavaScript for cross-platform mobile development. Furthermore, the framework allows developers to release updates to their apps without requiring manual efforts from the user.

More than 10 million Android users have been tricked by this campaign globally, resulting in enormous financial losses for the victims and quite the gain for the cybercriminals.
“And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign,” Zimperium concluded.

Just a couple of days ago, another dangerous Android trojan was revealed by ThreatFabric researchers. Called ERMAC, the malware appears to be coined by the BlackRock cybercriminals and is based on the roots of the infamous Cerberus.

The trojan is already distributed in active campaigns and targeting 378 banking and wallet apps with overlays. The first campaigns were most likely initiated in late August 2021. The attacks have now expanded, including numerous apps such as banking, media players, government apps, antivirus solutions.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share