Researchers at Zimperium have discovered an aggressive mobile premium services campaign with over 10 million victims all over the world. The stolen amount could amass hundreds of millions of Euros.

The scam was hidden behind malicious Android apps, and the researchers have named the Trojan GriftHorse. They estimate the group has been active since November 2020.

Distribution

These malicious Android apps were initially distributed through both Google Play and third-party application stores. After the researchers reported the findings to Google, the malicious applications were removed from the Google Play store. However, the malicious applications are still available on third-party app stores, once again proving the potential dangers involved in sideloading applications to mobiles.

To enhance the effectiveness of the campaign, the group showed pages to users based on the geolocation of their IP address and addressed them in the local language. This social engineering trick is very successful, since users are always more comfortable sharing information on a website in their local language.

How it works

The GriftHorse Trojan subscribes unsuspecting users to paid services, charging a premium amounting to around 36 dollars per month.

Immediately after installing the malicious app, the user is bombarded with popups telling them they have won a prize and need to claim it straight away or they will miss the opportunity. When the user accepts the offer, the malware redirects them to a geo-specific website where they have to submit their phone number for “verification”.

Instead of any verification taking place, the user is actually signed up for a premium SMS service that starts charging their phone bill over €30 per month.

Applications of this kind are often referred to as fleeceware. By definition, fleeceware is a type of malware for mobile devices that comes with hidden, excessive subscription fees. These applications take advantage of users who do not know how to cancel a subscription by charging them long after they have deleted the application.

Detection

The threat actors use a few different methods to avoid detection. While some users may get suspicious by an extra charge on their phone bill, it may take others months to notice. If and when they notice they need to find out how to cancel the subscription, and there is no chance of getting their money back.

The threat actors are also very careful to avoid hard-coding URLs in the malicious apps. To create the apps they used the mobile application development framework Apache Cordova. The application displays as a web page that references HTML, CSS, JavaScript, and images. This enables developers to deploy updates to apps without requiring the user to update manually. Using this option the actors were able to let the app fetch the currently active URL that acted as a C&C server.

The criminals used over 200 different Trojan applications in the campaign which, besides avoiding detection, also allowed them to spread the distribution of the applications across multiple, varied categories, increasing the range of potential victims.

The programmers of the malicious apps follow a strict no-reuse policy to avoid detection of all the apps by vendors, who often introduce mass or generic detections by using strings that are typical for a certain malware family.

Victims

By using the geo-specific sites and the spread across multiple categories of apps, the campaign was able to ensnare mobile users from more than 70 countries. Based on the intel collected by the researchers, GriftHorse has infected over 10 million devices in the last few months.

IOCs

A full list of applications and hashes can be found in the blog published by the researchers.

Malwarebytes for Android detects these apps as Android/Trojan.Spy.Joker.gfth.

Stay safe, everyone!