Users of Android phones are infected with this dangerous new malware. The campaign has targeted millions of users from over 70 countries
The use of mobile devices has been on the rise recently and it is no surprise to see cybercriminals targeting these endpoints for financial crimes.
Security researchers have shared details about a malware strain that has reportedly infected millions of Android devices across more than 70 countries.
Discovered by mobile security firm Zimperium, the GriftHorse malware subscribes users specifically Android phones to premium SMS services and has been at it since at least November 2020.
According to Zimperium researchers Aazim Yaswant and Nipun Gupta, GriftHorse is one of the “most widespread campaigns” they’ve tracked this year.
The malware and means of distribution
Forensic evidence of Zimperium zLabs indicates these active Android phones target Trojan attack, which is named GriftHorse, the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both Google Play and third-party application stores.
Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.
What can the GriftHorse Android Trojan do?
The mobile applications pose a threat to all Android phones by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.
The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language.
Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.
These pop-ups reappear no less than five times per hour until the application user successfully accepts the offer.
Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification.
But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.
The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with no means to get one’s money back.
How does the GriftHorse Android Trojan work on Android phones?
The Trojans are developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development.
This technology enables developers to deploy updates to apps without requiring the user to update manually.
When installed on Android phones, the malware will flood the users with fraudulent pop-ups and notifications showing fake prizes and special offers.
The configuration for pushing the notifications is received in the response and displayed every one hour five times on Android phones. The motive of this repetitive notification pushing is to grab the user’s attention and navigate to the application.
If a user clicks on the notification, they’ll be asked to enter their phone numbers to claim their winnings, not knowing they are subscribing to expensive premium SMS services.
What makes the GriftHorse campaign really effective though is the amount of work its developers have invested in polishing the malware’s code quality.
To further its reach, the researchers point out that the threat actors behind the malware have put in conscious effort to distribute it across a well-thought-of spread of apps.
“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” note the researchers.
Zimperium brought the campaign to Google’s notice, and the infected apps have since been zapped from the Play Store.
The strategy used in the performing the acts
According to Zimperium zLabs, the GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, and its success is attributable is to a combination of features:
- Completely undetected and reported by any other AV vendors;
- More than 200 Trojan applications were used in the campaign;
- Sophisticated architecture preventing the investigation of the extent of this campaign.
- No-Reuse policy to avoid the blocklisting of strings.
Infected victim.
The numerical stats reveal that more than 10 million Android phones fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign.
Indicators of Compromise
List of Applications
| Package Name | App Name | Min | Max |
| com.tra.nslat.orpro.htp | Handy Translator Pro | 500,000 | 1,000,000 |
| com.heartratteandpulsetracker | Heart Rate and Pulse Tracker | 100,000 | 500,000 |
| com.geospot.location.glt | Geospot: GPS Location Tracker | 100,000 | 500,000 |
| com.icare.fin.loc | iCare – Find Location | 100,000 | 500,000 |
| my.chat.translator | My Chat Translator | 100,000 | 500,000 |
| com.bus.metrolis.s | Bus – Metrolis 2021 | 100,000 | 500,000 |
| com.free.translator.photo.am | Free Translator Photo | 100,000 | 500,000 |
| com.locker.tul.lt | Locker Tool | 100,000 | 500,000 |
| com.fin.gerp.rint.fc | Fingerprint Changer | 100,000 | 500,000 |
| com.coll.rec.ord.er | Call Recoder Pro | 100,000 | 500,000 |
| instant.speech.translation | Instant Speech Translation | 100,000 | 500,000 |
| racers.car.driver | Racers Car Driver | 100,000 | 500,000 |
| slime.simu.lator | Slime Simulator | 100,000 | 500,000 |
| keyboard.the.mes | Keyboard Themes | 100,000 | 500,000 |
| whats.me.sticker | What’s Me Sticker | 100,000 | 500,000 |
| amazing.video.editor | Amazing Video Editor | 100,000 | 500,000 |
| sa.fe.lock | Safe Lock | 100,000 | 500,000 |
| heart.rhy.thm | Heart Rhythm | 100,000 | 500,000 |
| com.sma.spot.loca.tor | Smart Spot Locator | 100,000 | 500,000 |
| cut.cut.pro | CutCut Pro | 100,000 | 500,000 |
| com.offroaders.survive | OFFRoaders – Survive | 100,000 | 500,000 |
| com.phon.fin.by.cl.ap | Phone Finder by Clapping | 100,000 | 500,000 |
| com.drive.bus.bds | Bus Driving Simulator | 100,000 | 500,000 |
| com.finger.print.def | Fingerprint Defender | 100,000 | 500,000 |
| com.lifeel.scanandtest | Lifeel – scan and test | 100,000 | 500,000 |
| com.la.so.uncher.io | Launcher iOS 15 | 100,000 | 500,000 |
| com.gunt.ycoon.dle | Idle Gun Tycoo\u202an\u202c | 50,000 | 100,000 |
| com.scan.asdn | Scanner App Scan Docs & Notes | 50,000 | 100,000 |
| com.chat.trans.alm | Chat Translator All Messengers | 50,000 | 100,000 |
| com.hunt.contact.ro | Hunt Contact | 50,000 | 100,000 |
| com.lco.nylco | Icony | 50,000 | 100,000 |
| horoscope.fortune.com | Horoscope : Fortune | 50,000 | 100,000 |
| fit.ness.point | Fitness Point | 50,000 | 100,000 |
| com.qub.la | Qibla AR Pro | 50,000 | 100,000 |
| com.heartrateandmealtracker | Heart Rate and Meal Tracker | 50,000 | 100,000 |
| com.mneasytrn.slator | Mine Easy Translator | 50,000 | 100,000 |
| com.phone.control.blockspamx | PhoneControl Block Spam Calls | 50,000 | 100,000 |
| com.paral.lax.paper.thre | Parallax paper 3D | 50,000 | 100,000 |
| com.photo.translator.spt | SnapLens – Photo Translator | 50,000 | 100,000 |
| com.qibl.apas.dir | Qibla Pass Direction | 50,000 | 100,000 |
| com.caollerrrex | Caller-x | 50,000 | 100,000 |
| com.cl.ap | Clap | 50,000 | 100,000 |
| com.eff.phot.opro | Photo Effect Pro | 10,000 | 50,000 |
| com.icon.nec.ted.trac.ker | iConnected Tracker | 10,000 | 50,000 |
| com.smal.lcallrecorder | Smart Call Recorder | 10,000 | 50,000 |
| com.hor.oscope.pal | Daily Horoscope & Life Palmestry | 10,000 | 50,000 |
| com.qiblacompasslocatoriqez | Qibla Compass (Kaaba Locator) | 10,000 | 50,000 |
| com.proo.kie.phot.edtr | Prookie-Cartoon Photo Editor | 10,000 | 50,000 |
| com.qibla.ultimate.qu | Qibla Ultimate | 10,000 | 50,000 |
| com.truck.roud.offroad.z | Truck – RoudDrive Offroad | 10,000 | 50,000 |
| com.gpsphonuetrackerfamilylocator | GPS Phone Tracker – Family Locator | 10,000 | 50,000 |
| com.call.recorder.cri | Call Recorder iCall | 10,000 | 50,000 |
| com.pikcho.editor | PikCho Editor app | 10,000 | 50,000 |
| com.streetprocarsracingss | Street Cars: pro Racing | 10,000 | 50,000 |
| com.cinema.hall | Cinema Hall: Free HD Movies | 10,000 | 50,000 |
| com.ivlewepapallr.bkragonucd | Live Wallpaper & Background | 10,000 | 50,000 |
| com.in1.tel.ligent.trans.lt.pro | Intelligent Translator Pro | 10,000 | 50,000 |
| com.aceana.lyzzer | Face Analyzer | 10,000 | 50,000 |
| com.tueclert.ruercder | TrueCaller & TrueRecoder | 10,000 | 50,000 |
| com.trans.lator.txt.voice.pht | iTranslator_ Text & Voice & Photo | 10,000 | 50,000 |
| com.puls.rat.monik | Pulse App – Heart Rate Monitor | 10,000 | 50,000 |
| com.vidphoremanger | Video & Photo Recovery Manager 2 | 10,000 | 50,000 |
| online.expresscredit.com | Быстрые кредиты 24\7 | 10,000 | 50,000 |
| fit.ness.trainer | Fitness Trainer | 10,000 | 50,000 |
| com.clip.buddy | ClipBuddy | 10,000 | 50,000 |
| vec.tor.art | Vector arts | 10,000 | 50,000 |
| ludo.speak.v2 | Ludo Speak v2.0 | 10,000 | 50,000 |
| battery.live.wallpaperhd | Battery Live Wallpaper 4K | 10,000 | 50,000 |
| com.heartrateproxhealthmonitor | Heart Rate Pro Health Monitor | 10,000 | 50,000 |
| com.locatorqiafindlocation | Locatoria – Find Location | 10,000 | 50000 |
| com.gtconacer | GetContacter | 10,000 | 50000 |
| ph.oto.lab | Photo Lab | 10,000 | 50,000 |
| com.phoneboster | AR Phone Booster – Battery Saver | 10,000 | 50,000 |
| com.translator.arabic.en | English Arabic Translator direct | 10,000 | 50,000 |
| com.vpn.fast.proxy.fep | VPN Zone – Fast & Easy Proxy | 10,000 | 50,000 |
| com.projector.mobile.phone | 100% Projector for Mobile Phone | 10,000 | 50,000 |
| com.forza.mobile.ult.ed | Forza H Mobile 4 Ultimate Edition | 10,000 | 50,000 |
| com.sticky.slime.sim.asmr.nws | Amazing Sticky Slime Simulator ASMR\u200f | 10,000 | 50,000 |
| com.clap.t.findz.m.phone | Clap To Find My Phone | 10,000 | 50,000 |
| com.mirror.scree.n.cast.tvv | Screen Mirroring TV Cast | 10,000 | 50,000 |
| com.frcallworwid | Free Calls WorldWide | 10,000 | 50,000 |
| locator.plus.my | My Locator Plus | 10,000 | 50,000 |
| com.isalamqciqc | iSalam Qibla Compass | 5,000 | 10,000 |
| com.lang.tra.nslate.ltef | Language Translator-Easy&Fast | 5,000 | 10,000 |
| com.wifi.unlock.pas.pro.x | WiFi Unlock Password Pro X | 5,000 | 10,000 |
| com.chat.live.stream.pvc | Pony Video Chat-Live Stream | 5,000 | 10,000 |
| com.zodiac.hand | Zodiac : Hand | 5,000 | 10,000 |
| com.lud.gam.ecl | Ludo Game Classic | 5,000 | 10,000 |
| com.locx.findx.locx | Loca – Find Location | 5,000 | 10,000 |
| com.easy.tv.show.ets | Easy TV Show | 5,000 | 10,000 |
| com.qiblaquran | Qibla correct Quran Coran Koran | 5,000 | 10,000 |
| com.dat.ing.app.sw.mt | Dating App – Sweet Meet | 5,000 | 10,000 |
| com.circ.leloca.fi.nder | R Circle – Location Finder | 5,000 | 10,000 |
| com.taggsskconattc | TagsContact | 5,000 | 10,000 |
| com.ela.salaty.musl.qibla | Ela-Salaty: Muslim Prayer Times & Qibla Direction | 1,000 | 5,000 |
| com.qiblacompassrtvi | Qibla Compass | 1,000 | 5,000 |
| com.soul.scanner.check.yh | Soul Scanner – Check Your | 1,000 | 5,000 |
| com.chat.video.live.ciao | CIAO – Live Video Chat | 1,000 | 5,000 |
| com.plant.camera.identifier.pci | Plant Camera Identifier | 1,000 | 5,000 |
| com.call.colop.chan.cc | Color Call Changer | 1,000 | 5,000 |
| com.squishy.pop.it | Squishy and Pop it | 1,000 | 5,000 |
| com.keyboard.virt.projector.app | Keyboard: Virtual Projector App | 1,000 | 5,000 |
| com.scanr.gdp.doc | Scanner Pro App: PDF Document | 1,000 | 5,000 |
| com.qrrea.derpro | QR Reader Pro | 1,000 | 5,000 |
| com.f.x.key.bo.ard | FX Keyboard | 1,000 | 5,000 |
| photoeditor.frame.com | You Frame | 1,000 | 5,000 |
| call.record.prov | Call Record Pro | 1,000 | 5,000 |
| com.isl.srick.ers | Free Islamic Stickers 2021 | 1,000 | 5,000 |
| com.qr.code.reader.scan | QR Code Reader – Barcode Scanner | 1,000 | 5,000 |
| com.scan.n.ray | Bag X-Ray 100% Scanner | 1,000 | 5,000 |
| com.phone.caller.screnn | Phone Caller Screen 2021 | 1,000 | 5,000 |
| com.trnsteito.nneapp | Translate It – Online App | 1,000 | 5,000 |
| com.mobthinfind | Mobile Things Finder | 1,000 | 5,000 |
| com.piriufffcaer | Proof-Caller | 1,000 | 5,000 |
| com.hones.earcy.laof | Phone Search by Clap | 1,000 | 5,000 |
| com.secontranslapro | Second Translate PRO | 1,000 | 5,000 |
| cal.ler.ids | CallerID | 1,000 | 5,000 |
| com.camera.d.plan | 3D Camera To Plan | 500 | 1,000 |
| com.qib.find.qib.di | Qibla Finder – Qibla Direction | 500 | 1,000 |
| com.stick.maker.waps | Stickers Maker for WhatsApp | 500 | 1,000 |
| com.qbbl.ldironwach | Qibla direction watch (compass) | 500 | 1,000 |
| com.bo.ea.lesss.piano | Piano Bot Easy Lessons | 500 | 1000 |
| com.seond.honen.umber | CallHelp: Second Phone Number | 500 | 1000 |
| com.faspulhearratmon | FastPulse – Heart Rate Monitor | 500 | 1000 |
| com.alleid.pam.lofhys | Caller ID & Spam Blocker | 500 | 1000 |
| com.free.coupon2021 | Free Coupons 2021 | 100 | 500 |
| com.kfc.saudi.delivery.coupons | KFC Saudi – Get free delivery and 50% off coupons | 100 | 500 |
| com.skycoach.gg | Skycoach | 100 | 500 |
| com.live.chat.meet.hoo | HOO Live – Meet and Chat | 100 | 500 |
| easy.bass.booster | Easy Bass Booster | 10 | 50 |
| com.coupongiftsnstashop | Coupons & Gifts: InstaShop | 10 | 50 |
| com.finnccontat | FindContact | 10 | 50 |
| com.aunch.erios.drog | Launcher iOS for Android | 10 | 50 |
| com.blo.cced.als.pam.rzd | Call Blocker-Spam Call Blocker | 10 | 50 |
| com.blo.cced.als.pam.rzd | Call Blocker-Spam Call Blocker | 10 | 50 |
| com.ivemobibercker | Live Mobile Number Tracker | 10 | 50 |
| Total | 4,287,470 | 17,345,450 |
For further clarification read more on Zimperium zLab
