Connect with us

Android Guide

Users of Android phones are infected with this dangerous new malware 2021.



Android phones
Users of Android phones are infected with this dangerous new malware. The campaign has targeted millions of users from over 70 countries
Android phones
Android phones

The use of mobile devices has been on the rise recently and it is no surprise to see cybercriminals targeting these endpoints for financial crimes.

Security researchers have shared details about a malware strain that has reportedly infected millions of Android devices across more than 70 countries. 

Discovered by mobile security firm Zimperium, the GriftHorse malware subscribes users specifically Android phones to premium SMS services and has been at it since at least November 2020.

According to Zimperium researchers Aazim Yaswant and Nipun Gupta, GriftHorse is one of the “most widespread campaigns” they’ve tracked this year.

The malware and means of distribution

Forensic evidence of Zimperium zLabs indicates these active Android phones target Trojan attack, which is named GriftHorse, the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both  Google Play and third-party application stores.

Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.

What can the GriftHorse Android Trojan do?

The mobile applications pose a threat to all Android phones by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.

The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language.

Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.

These pop-ups reappear no less than five times per hour until the application user successfully accepts the offer.

Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification.

But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.

The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with no means to get one’s money back.

How does the GriftHorse Android Trojan work on Android phones?

The Trojans are developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development.

This technology enables developers to deploy updates to apps without requiring the user to update manually.

When installed on Android phones, the malware will flood the users with fraudulent pop-ups and notifications showing fake prizes and special offers.

The configuration for pushing the notifications is received in the response and displayed every one hour five times on Android phones. The motive of this repetitive notification pushing is to grab the user’s attention and navigate to the application.

If a user clicks on the notification, they’ll be asked to enter their phone numbers to claim their winnings, not knowing they are subscribing to expensive premium SMS services.

What makes the GriftHorse campaign really effective though is the amount of work its developers have invested in polishing the malware’s code quality.

To further its reach, the researchers point out that the threat actors behind the malware have put in conscious effort to distribute it across a well-thought-of spread of apps.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” note the researchers.

Zimperium brought the campaign to Google’s notice, and the infected apps have since been zapped from the Play Store.

The strategy used in the performing the acts

According to Zimperium zLabs, the GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, and its success is attributable is to a combination of features:

  • Completely undetected and reported by any other AV vendors;
  • More than 200 Trojan applications were used in the campaign;
  • Sophisticated architecture preventing the investigation of the extent of this campaign.
  • No-Reuse policy to avoid the blocklisting of strings.
Infected victim.

The numerical stats reveal that more than 10 million Android phones fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign.

Indicators of Compromise

List of Applications

Package NameApp NameMinMax
com.tra.nslat.orpro.htpHandy Translator Pro500,0001,000,000
com.heartratteandpulsetrackerHeart Rate and Pulse Tracker100,000500,000
com.geospot.location.gltGeospot: GPS Location Tracker100,000500,000
com.icare.fin.lociCare – Find Location100,000500,000 Chat Translator100,000500,000
com.bus.metrolis.sBus – Metrolis 2021100,000500,000 Translator Photo100,000500,000 Tool100,000500,000
com.fin.gerp.rint.fcFingerprint Changer100,000500,000
com.coll.rec.ord.erCall Recoder Pro100,000500,000
instant.speech.translationInstant Speech Translation100,000500,000 Car Driver100,000500,000
slime.simu.latorSlime Simulator100,000500,000
keyboard.the.mesKeyboard Themes100,000500,000’s Me Sticker100,000500,000 Video Editor100,000500,000
sa.fe.lockSafe Lock100,000500,000
heart.rhy.thmHeart Rhythm100,000500,000 Spot Locator100,000500,000
cut.cut.proCutCut Pro100,000500,000
com.offroaders.surviveOFFRoaders – Survive100,000500,000 Finder by Clapping100,000500,000 Driving Simulator100,000500,000
com.finger.print.defFingerprint Defender100,000500,000
com.lifeel.scanandtestLifeel – scan and test100,000500,000 iOS 15100,000500,000
com.gunt.ycoon.dleIdle Gun Tycoo\u202an\u202c50,000100,000
com.scan.asdnScanner App Scan Docs & Notes50,000100,000 Translator All Messengers50,000100,000 Contact50,000100,000
horoscope.fortune.comHoroscope : Fortune50,000100,000
fit.ness.pointFitness Point50,000100,000
com.qub.laQibla AR Pro50,000100,000
com.heartrateandmealtrackerHeart Rate and Meal Tracker50,000100,000
com.mneasytrn.slatorMine Easy Translator50,000100,000 Block Spam Calls50,000100,000
com.paral.lax.paper.threParallax paper 3D50,000100,000 – Photo Translator50,000100,000
com.qibl.apas.dirQibla Pass Direction50,000100,000
com.eff.phot.oproPhoto Effect Pro10,00050,000 Tracker10,00050,000
com.smal.lcallrecorderSmart Call Recorder10,00050,000
com.hor.oscope.palDaily Horoscope & Life Palmestry10,00050,000
com.qiblacompasslocatoriqezQibla Compass (Kaaba Locator)10,00050,000
com.proo.kie.phot.edtrProokie-Cartoon Photo Editor10,00050,000
com.qibla.ultimate.quQibla Ultimate10,00050,000
com.truck.roud.offroad.zTruck – RoudDrive Offroad10,00050,000
com.gpsphonuetrackerfamilylocatorGPS Phone Tracker – Family Locator10,00050,000 Recorder iCall10,00050,000
com.pikcho.editorPikCho Editor app10,00050,000
com.streetprocarsracingssStreet Cars: pro Racing10,00050,000
com.cinema.hallCinema Hall: Free HD Movies10,00050,000
com.ivlewepapallr.bkragonucdLive Wallpaper & Background10,00050,000 Translator Pro10,00050,000
com.aceana.lyzzerFace Analyzer10,00050,000
com.tueclert.ruercderTrueCaller & TrueRecoder10,00050,000
com.trans.lator.txt.voice.phtiTranslator_ Text & Voice & Photo10,00050,000
com.puls.rat.monikPulse App – Heart Rate Monitor10,00050,000
com.vidphoremangerVideo & Photo Recovery Manager 210,00050,000
online.expresscredit.comБыстрые кредиты 24\710,00050,000
fit.ness.trainerFitness Trainer10,00050,000
vec.tor.artVector arts10,00050,000
ludo.speak.v2Ludo Speak v2.010,00050,000 Live Wallpaper 4K10,00050,000
com.heartrateproxhealthmonitorHeart Rate Pro Health Monitor10,00050,000
com.locatorqiafindlocationLocatoria – Find Location10,00050000
ph.oto.labPhoto Lab10,00050,000
com.phonebosterAR Phone Booster – Battery Saver10,00050,000
com.translator.arabic.enEnglish Arabic Translator direct10,00050,000 Zone – Fast & Easy Proxy10,00050,000 Projector for Mobile Phone10,00050,000 H Mobile 4 Ultimate Edition10,00050,000
com.sticky.slime.sim.asmr.nwsAmazing Sticky Slime Simulator ASMR\u200f10,00050,000
com.clap.t.findz.m.phoneClap To Find My Phone10,00050,000
com.mirror.scree.n.cast.tvvScreen Mirroring TV Cast10,00050,000
com.frcallworwidFree Calls WorldWide10,00050,000 Locator Plus10,00050,000
com.isalamqciqciSalam Qibla Compass5,00010,000
com.lang.tra.nslate.ltefLanguage Translator-Easy&Fast5,00010,000 Unlock Password Pro X5,00010,000 Video Chat-Live Stream5,00010,000
com.zodiac.handZodiac : Hand5,00010,000
com.lud.gam.eclLudo Game Classic5,00010,000
com.locx.findx.locxLoca – Find Location5,00010,000 TV Show5,00010,000
com.qiblaquranQibla correct Quran Coran Koran5,00010,000 App – Sweet Meet5,00010,000 Circle – Location Finder5,00010,000
com.ela.salaty.musl.qiblaEla-Salaty: Muslim Prayer Times & Qibla Direction1,0005,000
com.qiblacompassrtviQibla Compass1,0005,000
com.soul.scanner.check.yhSoul Scanner – Check Your1,0005,000 – Live Video Chat1,0005,000 Camera Identifier1,0005,000 Call Changer1,0005,000
com.squishy.pop.itSquishy and Pop it1,0005,000
com.keyboard.virt.projector.appKeyboard: Virtual Projector App1,0005,000
com.scanr.gdp.docScanner Pro App: PDF Document1,0005,000
com.qrrea.derproQR Reader Pro1,0005,000 Keyboard1,0005,000
photoeditor.frame.comYou Frame1,0005,000
call.record.provCall Record Pro1,0005,000
com.isl.srick.ersFree Islamic Stickers 20211,0005,000
com.qr.code.reader.scanQR Code Reader – Barcode Scanner1,0005,000
com.scan.n.rayBag X-Ray 100% Scanner1,0005,000 Caller Screen 20211,0005,000
com.trnsteito.nneappTranslate It – Online App1,0005,000
com.mobthinfindMobile Things Finder1,0005,000
com.hones.earcy.laofPhone Search by Clap1,0005,000
com.secontranslaproSecond Translate PRO1,0005,000
cal.ler.idsCallerID1,0005,000 Camera To Plan5001,000
com.qib.find.qib.diQibla Finder – Qibla Direction5001,000
com.stick.maker.wapsStickers Maker for WhatsApp5001,000
com.qbbl.ldironwachQibla direction watch (compass)5001,000 Bot Easy Lessons5001000
com.seond.honen.umberCallHelp: Second Phone Number5001000
com.faspulhearratmonFastPulse – Heart Rate Monitor5001000
com.alleid.pam.lofhysCaller ID & Spam Blocker5001000 Coupons 2021100500 Saudi – Get free delivery and 50% off coupons100500
com.skycoach.ggSkycoach100500 Live – Meet and Chat100500
easy.bass.boosterEasy Bass Booster1050
com.coupongiftsnstashopCoupons & Gifts: InstaShop1050
com.aunch.erios.drogLauncher iOS for Android1050
com.blo.cced.als.pam.rzdCall Blocker-Spam Call Blocker1050
com.blo.cced.als.pam.rzdCall Blocker-Spam Call Blocker1050
com.ivemobiberckerLive Mobile Number Tracker1050

For further clarification read more on Zimperium zLab

Continue Reading
Click to comment

Leave a Reply


%d bloggers like this: