Connect with us

Android Guide

Users of Android phones are infected with this dangerous new malware 2021.

Published

1 year ago

on

Android phones
Users of Android phones are infected with this dangerous new malware. The campaign has targeted millions of users from over 70 countries
Contents hide
1 Users of Android phones are infected with this dangerous new malware. The campaign has targeted millions of users from over 70 countries
2 The malware and means of distribution
3 What can the GriftHorse Android Trojan do?
4 How does the GriftHorse Android Trojan work on Android phones?
5 The strategy used in the performing the acts
6 Infected victim.
7 Indicators of Compromise
8 Share this:
9 Like this:
10 Related
Android phones
Android phones

The use of mobile devices has been on the rise recently and it is no surprise to see cybercriminals targeting these endpoints for financial crimes.

Security researchers have shared details about a malware strain that has reportedly infected millions of Android devices across more than 70 countries. 

Discovered by mobile security firm Zimperium, the GriftHorse malware subscribes users specifically Android phones to premium SMS services and has been at it since at least November 2020.

According to Zimperium researchers Aazim Yaswant and Nipun Gupta, GriftHorse is one of the “most widespread campaigns” they’ve tracked this year.

The malware and means of distribution

Forensic evidence of Zimperium zLabs indicates these active Android phones target Trojan attack, which is named GriftHorse, the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both  Google Play and third-party application stores.

Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.

What can the GriftHorse Android Trojan do?

The mobile applications pose a threat to all Android phones by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.

The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language.

Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.

These pop-ups reappear no less than five times per hour until the application user successfully accepts the offer.

Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification.

But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.

The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with no means to get one’s money back.

How does the GriftHorse Android Trojan work on Android phones?

The Trojans are developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development.

This technology enables developers to deploy updates to apps without requiring the user to update manually.

When installed on Android phones, the malware will flood the users with fraudulent pop-ups and notifications showing fake prizes and special offers.

The configuration for pushing the notifications is received in the response and displayed every one hour five times on Android phones. The motive of this repetitive notification pushing is to grab the user’s attention and navigate to the application.

If a user clicks on the notification, they’ll be asked to enter their phone numbers to claim their winnings, not knowing they are subscribing to expensive premium SMS services.

What makes the GriftHorse campaign really effective though is the amount of work its developers have invested in polishing the malware’s code quality.

To further its reach, the researchers point out that the threat actors behind the malware have put in conscious effort to distribute it across a well-thought-of spread of apps.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” note the researchers.

Zimperium brought the campaign to Google’s notice, and the infected apps have since been zapped from the Play Store.

The strategy used in the performing the acts

According to Zimperium zLabs, the GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, and its success is attributable is to a combination of features:

  • Completely undetected and reported by any other AV vendors;
  • More than 200 Trojan applications were used in the campaign;
  • Sophisticated architecture preventing the investigation of the extent of this campaign.
  • No-Reuse policy to avoid the blocklisting of strings.
Infected victim.

The numerical stats reveal that more than 10 million Android phones fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign.

Indicators of Compromise

List of Applications

Package NameApp NameMinMax
com.tra.nslat.orpro.htpHandy Translator Pro500,0001,000,000
com.heartratteandpulsetrackerHeart Rate and Pulse Tracker100,000500,000
com.geospot.location.gltGeospot: GPS Location Tracker100,000500,000
com.icare.fin.lociCare – Find Location100,000500,000
my.chat.translatorMy Chat Translator100,000500,000
com.bus.metrolis.sBus – Metrolis 2021100,000500,000
com.free.translator.photo.amFree Translator Photo100,000500,000
com.locker.tul.ltLocker Tool100,000500,000
com.fin.gerp.rint.fcFingerprint Changer100,000500,000
com.coll.rec.ord.erCall Recoder Pro100,000500,000
instant.speech.translationInstant Speech Translation100,000500,000
racers.car.driverRacers Car Driver100,000500,000
slime.simu.latorSlime Simulator100,000500,000
keyboard.the.mesKeyboard Themes100,000500,000
whats.me.stickerWhat’s Me Sticker100,000500,000
amazing.video.editorAmazing Video Editor100,000500,000
sa.fe.lockSafe Lock100,000500,000
heart.rhy.thmHeart Rhythm100,000500,000
com.sma.spot.loca.torSmart Spot Locator100,000500,000
cut.cut.proCutCut Pro100,000500,000
com.offroaders.surviveOFFRoaders – Survive100,000500,000
com.phon.fin.by.cl.apPhone Finder by Clapping100,000500,000
com.drive.bus.bdsBus Driving Simulator100,000500,000
com.finger.print.defFingerprint Defender100,000500,000
com.lifeel.scanandtestLifeel – scan and test100,000500,000
com.la.so.uncher.ioLauncher iOS 15100,000500,000
com.gunt.ycoon.dleIdle Gun Tycoo\u202an\u202c50,000100,000
com.scan.asdnScanner App Scan Docs & Notes50,000100,000
com.chat.trans.almChat Translator All Messengers50,000100,000
com.hunt.contact.roHunt Contact50,000100,000
com.lco.nylcoIcony50,000100,000
horoscope.fortune.comHoroscope : Fortune50,000100,000
fit.ness.pointFitness Point50,000100,000
com.qub.laQibla AR Pro50,000100,000
com.heartrateandmealtrackerHeart Rate and Meal Tracker50,000100,000
com.mneasytrn.slatorMine Easy Translator50,000100,000
com.phone.control.blockspamxPhoneControl Block Spam Calls50,000100,000
com.paral.lax.paper.threParallax paper 3D50,000100,000
com.photo.translator.sptSnapLens – Photo Translator50,000100,000
com.qibl.apas.dirQibla Pass Direction50,000100,000
com.caollerrrexCaller-x50,000100,000
com.cl.apClap50,000100,000
com.eff.phot.oproPhoto Effect Pro10,00050,000
com.icon.nec.ted.trac.keriConnected Tracker10,00050,000
com.smal.lcallrecorderSmart Call Recorder10,00050,000
com.hor.oscope.palDaily Horoscope & Life Palmestry10,00050,000
com.qiblacompasslocatoriqezQibla Compass (Kaaba Locator)10,00050,000
com.proo.kie.phot.edtrProokie-Cartoon Photo Editor10,00050,000
com.qibla.ultimate.quQibla Ultimate10,00050,000
com.truck.roud.offroad.zTruck – RoudDrive Offroad10,00050,000
com.gpsphonuetrackerfamilylocatorGPS Phone Tracker – Family Locator10,00050,000
com.call.recorder.criCall Recorder iCall10,00050,000
com.pikcho.editorPikCho Editor app10,00050,000
com.streetprocarsracingssStreet Cars: pro Racing10,00050,000
com.cinema.hallCinema Hall: Free HD Movies10,00050,000
com.ivlewepapallr.bkragonucdLive Wallpaper & Background10,00050,000
com.in1.tel.ligent.trans.lt.proIntelligent Translator Pro10,00050,000
com.aceana.lyzzerFace Analyzer10,00050,000
com.tueclert.ruercderTrueCaller & TrueRecoder10,00050,000
com.trans.lator.txt.voice.phtiTranslator_ Text & Voice & Photo10,00050,000
com.puls.rat.monikPulse App – Heart Rate Monitor10,00050,000
com.vidphoremangerVideo & Photo Recovery Manager 210,00050,000
online.expresscredit.comБыстрые кредиты 24\710,00050,000
fit.ness.trainerFitness Trainer10,00050,000
com.clip.buddyClipBuddy10,00050,000
vec.tor.artVector arts10,00050,000
ludo.speak.v2Ludo Speak v2.010,00050,000
battery.live.wallpaperhdBattery Live Wallpaper 4K10,00050,000
com.heartrateproxhealthmonitorHeart Rate Pro Health Monitor10,00050,000
com.locatorqiafindlocationLocatoria – Find Location10,00050000
com.gtconacerGetContacter10,00050000
ph.oto.labPhoto Lab10,00050,000
com.phonebosterAR Phone Booster – Battery Saver10,00050,000
com.translator.arabic.enEnglish Arabic Translator direct10,00050,000
com.vpn.fast.proxy.fepVPN Zone – Fast & Easy Proxy10,00050,000
com.projector.mobile.phone100% Projector for Mobile Phone10,00050,000
com.forza.mobile.ult.edForza H Mobile 4 Ultimate Edition10,00050,000
com.sticky.slime.sim.asmr.nwsAmazing Sticky Slime Simulator ASMR\u200f10,00050,000
com.clap.t.findz.m.phoneClap To Find My Phone10,00050,000
com.mirror.scree.n.cast.tvvScreen Mirroring TV Cast10,00050,000
com.frcallworwidFree Calls WorldWide10,00050,000
locator.plus.myMy Locator Plus10,00050,000
com.isalamqciqciSalam Qibla Compass5,00010,000
com.lang.tra.nslate.ltefLanguage Translator-Easy&Fast5,00010,000
com.wifi.unlock.pas.pro.xWiFi Unlock Password Pro X5,00010,000
com.chat.live.stream.pvcPony Video Chat-Live Stream5,00010,000
com.zodiac.handZodiac : Hand5,00010,000
com.lud.gam.eclLudo Game Classic5,00010,000
com.locx.findx.locxLoca – Find Location5,00010,000
com.easy.tv.show.etsEasy TV Show5,00010,000
com.qiblaquranQibla correct Quran Coran Koran5,00010,000
com.dat.ing.app.sw.mtDating App – Sweet Meet5,00010,000
com.circ.leloca.fi.nderR Circle – Location Finder5,00010,000
com.taggsskconattcTagsContact5,00010,000
com.ela.salaty.musl.qiblaEla-Salaty: Muslim Prayer Times & Qibla Direction1,0005,000
com.qiblacompassrtviQibla Compass1,0005,000
com.soul.scanner.check.yhSoul Scanner – Check Your1,0005,000
com.chat.video.live.ciaoCIAO – Live Video Chat1,0005,000
com.plant.camera.identifier.pciPlant Camera Identifier1,0005,000
com.call.colop.chan.ccColor Call Changer1,0005,000
com.squishy.pop.itSquishy and Pop it1,0005,000
com.keyboard.virt.projector.appKeyboard: Virtual Projector App1,0005,000
com.scanr.gdp.docScanner Pro App: PDF Document1,0005,000
com.qrrea.derproQR Reader Pro1,0005,000
com.f.x.key.bo.ardFX Keyboard1,0005,000
photoeditor.frame.comYou Frame1,0005,000
call.record.provCall Record Pro1,0005,000
com.isl.srick.ersFree Islamic Stickers 20211,0005,000
com.qr.code.reader.scanQR Code Reader – Barcode Scanner1,0005,000
com.scan.n.rayBag X-Ray 100% Scanner1,0005,000
com.phone.caller.scrennPhone Caller Screen 20211,0005,000
com.trnsteito.nneappTranslate It – Online App1,0005,000
com.mobthinfindMobile Things Finder1,0005,000
com.piriufffcaerProof-Caller1,0005,000
com.hones.earcy.laofPhone Search by Clap1,0005,000
com.secontranslaproSecond Translate PRO1,0005,000
cal.ler.idsCallerID1,0005,000
com.camera.d.plan3D Camera To Plan5001,000
com.qib.find.qib.diQibla Finder – Qibla Direction5001,000
com.stick.maker.wapsStickers Maker for WhatsApp5001,000
com.qbbl.ldironwachQibla direction watch (compass)5001,000
com.bo.ea.lesss.pianoPiano Bot Easy Lessons5001000
com.seond.honen.umberCallHelp: Second Phone Number5001000
com.faspulhearratmonFastPulse – Heart Rate Monitor5001000
com.alleid.pam.lofhysCaller ID & Spam Blocker5001000
com.free.coupon2021Free Coupons 2021100500
com.kfc.saudi.delivery.couponsKFC Saudi – Get free delivery and 50% off coupons100500
com.skycoach.ggSkycoach100500
com.live.chat.meet.hooHOO Live – Meet and Chat100500
easy.bass.boosterEasy Bass Booster1050
com.coupongiftsnstashopCoupons & Gifts: InstaShop1050
com.finnccontatFindContact1050
com.aunch.erios.drogLauncher iOS for Android1050
com.blo.cced.als.pam.rzdCall Blocker-Spam Call Blocker1050
com.blo.cced.als.pam.rzdCall Blocker-Spam Call Blocker1050
com.ivemobiberckerLive Mobile Number Tracker1050
Total4,287,47017,345,450

For further clarification read more on Zimperium zLab

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Trending

%d bloggers like this: