A newly discovered Android Trojan being used in a campaign that tricks victims into subscribing to premium SMS services is believed to have over 10 million victims.

Discovered and detailed today by researchers at mobile security company Zimperium Inc., the “GriftHorse” malware has been found embedded in more than 200 malicious applications, many of which have been offered on the Google Play Store. The GriftHorse campaign is thought to have been running since November 2020 and has targeted millions of users in more than 70 countries.

The malicious applications appear harmless when looking at the store description and requested permissions but result in users being charged month over month for a premium service to which they get subscribed without their knowledge.

Upon installing an infected application, users are bombarded with alerts telling them they’ve won a prize and need to claim it immediately. After they accept the invitation for the prize, the malware redirects the victims to a geo-specific webpage. They are then asked to submit their phone number for verification, and that’s where the trap is set.

After they enter their phone number for the claimed prize, the victims instead are signed up for a premium SMS service that will start charging their phone bills more than €30 ($34.80) per month. The victims don’t immediately notice the impact of the theft, so it’s likely it continues for months before being detected. As the victims are deemed to have subscribed to the service, there is little to no resource to have the money returned.

The researchers noted that the cybercriminals took great care not to get caught by avoiding hardcoded URLs or reusing the same domains and filtering or serving the malicious payload based on the originating IP address location. That allowed the attackers to target different countries in different ways.

Before going public with the details, the researchers did present their findings to Google LLC and the malicious apps on Google Play have been removed. The malicious apps still exist on third-party app stores, however.

“It’s unfortunate that it’s gotten to the point that you can’t fully trust apps in official first-party stores any longer,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “These store vendors really must do a better job of policing the behavior of the applications they distribute.”

In some cases, he added, ignorant users may be to blame, such as when they may attempt to download pirated copies of apps from third-party stores. “But most users aren’t, nor should they be able to, spot malicious apps or app activity stemming from an official source,” he said.

Image: Zimperium