UPDATED 20:36 EST / SEPTEMBER 29 2021

SECURITY

‘GriftHorse’ Android malware tricks victims into subscribing to premium SMS services

A newly discovered Android Trojan being used in a campaign that tricks victims into subscribing to premium SMS services is believed to have over 10 million victims.

Discovered and detailed today by researchers at mobile security company Zimperium Inc., the “GriftHorse” malware has been found embedded in more than 200 malicious applications, many of which have been offered on the Google Play Store. The GriftHorse campaign is thought to have been running since November 2020 and has targeted millions of users in more than 70 countries.

The malicious applications appear harmless when looking at the store description and requested permissions but result in users being charged month over month for a premium service to which they get subscribed without their knowledge.

Upon installing an infected application, users are bombarded with alerts telling them they’ve won a prize and need to claim it immediately. After they accept the invitation for the prize, the malware redirects the victims to a geo-specific webpage. They are then asked to submit their phone number for verification, and that’s where the trap is set.

After they enter their phone number for the claimed prize, the victims instead are signed up for a premium SMS service that will start charging their phone bills more than €30 ($34.80) per month. The victims don’t immediately notice the impact of the theft, so it’s likely it continues for months before being detected. As the victims are deemed to have subscribed to the service, there is little to no resource to have the money returned.

The researchers noted that the cybercriminals took great care not to get caught by avoiding hardcoded URLs or reusing the same domains and filtering or serving the malicious payload based on the originating IP address location. That allowed the attackers to target different countries in different ways.

Before going public with the details, the researchers did present their findings to Google LLC and the malicious apps on Google Play have been removed. The malicious apps still exist on third-party app stores, however.

“It’s unfortunate that it’s gotten to the point that you can’t fully trust apps in official first-party stores any longer,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “These store vendors really must do a better job of policing the behavior of the applications they distribute.”

In some cases, he added, ignorant users may be to blame, such as when they may attempt to download pirated copies of apps from third-party stores. “But most users aren’t, nor should they be able to, spot malicious apps or app activity stemming from an official source,” he said.

Image: Zimperium

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU