Users of Android phones are infected with this dangerous new malware 2021.

Users of Android phones are infected with this dangerous new malware. The campaign has targeted millions of users from over 70 countries

The use of mobile devices has been on the rise recently and it is no surprise to see cybercriminals targeting these endpoints for financial crimes.

Security researchers have shared details about a malware strain that has reportedly infected millions of Android devices across more than 70 countries. 

Discovered by mobile security firm Zimperium, the GriftHorse malware subscribes users specifically Android phones to premium SMS services and has been at it since at least November 2020.

According to Zimperium researchers Aazim Yaswant and Nipun Gupta, GriftHorse is one of the “most widespread campaigns” they’ve tracked this year.

The malware and means of distribution

Forensic evidence of Zimperium zLabs indicates these active Android phones target Trojan attack, which is named GriftHorse, the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both  Google Play and third-party application stores.

Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.

What can the GriftHorse Android Trojan do?

The mobile applications pose a threat to all Android phones by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.

The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language.

Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately.

These pop-ups reappear no less than five times per hour until the application user successfully accepts the offer.

Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification.

But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.

The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with no means to get one’s money back.

How does the GriftHorse Android Trojan work on Android phones?

The Trojans are developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development.

This technology enables developers to deploy updates to apps without requiring the user to update manually.

When installed on Android phones, the malware will flood the users with fraudulent pop-ups and notifications showing fake prizes and special offers.

The configuration for pushing the notifications is received in the response and displayed every one hour five times on Android phones. The motive of this repetitive notification pushing is to grab the user’s attention and navigate to the application.

If a user clicks on the notification, they’ll be asked to enter their phone numbers to claim their winnings, not knowing they are subscribing to expensive premium SMS services.

What makes the GriftHorse campaign really effective though is the amount of work its developers have invested in polishing the malware’s code quality.

To further its reach, the researchers point out that the threat actors behind the malware have put in conscious effort to distribute it across a well-thought-of spread of apps.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” note the researchers.

Zimperium brought the campaign to Google’s notice, and the infected apps have since been zapped from the Play Store.

The strategy used in the performing the acts

According to Zimperium zLabs, the GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, and its success is attributable is to a combination of features:

• Completely undetected and reported by any other AV vendors;
• More than 200 Trojan applications were used in the campaign;
• Sophisticated architecture preventing the investigation of the extent of this campaign.
• No-Reuse policy to avoid the blocklisting of strings.

Infected victim.

The numerical stats reveal that more than 10 million Android phones fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign.

Indicators of Compromise

List of Applications

For further clarification read more on Zimperium zLab