The operators of the GriftHorse campaign profited tens of millions of dollars from their victims.
For years, Google has attempted, with limited success, to keep malicious apps out of the Play Store. The company is constantly working to remove these apps, and the most recent round of takedowns includes 200 apps from a variety of categories that were used to infect over 10 million people with GriftHorse malware.
Apple has recently become lax in the iOS security department, despite adding fuel to the raging iOS vs. Android debate by claiming the latter mobile OS has 47 times more malware due to its openness to sideloading apps. That said, it’s hard to argue against the fact that Android is more attractive for malware developers, who are prodding it every chance they get.
According to researchers at Zimperium zLabs (via TheRecord), a new Android trojan called GriftHorse has been embedded into no less than 200 malicious apps which were approved into the Google Play store as well as some third-party app stores. To date, the malware operators have managed to infect more than 10 million Android devices from over 70 countries and stole tens of millions of dollars from their victims.
According to the researchers’ report, the GriftHorse campaign has been running since at least November 2020 and will continue until April 2021. When a user instals one of the malicious apps, GriftHorse will generate a slew of notifications and popups enticing them with special discounts or various prizes. People who click on these are directed to a web page where they must confirm their phone number in order to gain access to the promotion.
In reality, the victims of GriftHorse are subscribing to premium SMS services that charge over $35 per month. It’s estimated that GriftHorse operators have been making anywhere from $1.5 million to $4 million per month using this scheme, and that their first victims have likely lost more than $230 if they didn’t stop the scam.
Aazim Yaswant and Nipun Gupta of Zimperium note that this was a sophisticated malware campaign in which operators used quality code and a diverse range of websites and malicious apps that covered almost every possible category. While Zimperium notified Google about the infringing apps, the company did remove them from the Play Store; however, they can still be downloaded from third-party app stores.
This isn’t the first time an Android user has been targeted in this manner. Wandera, a mobile security and data management firm, discovered a similar piece of malware in 2018 that could, among other things, send SMS messages to premium services. And judging by the sophistication present in the GriftHorse campaign, they’ve likely been doing this for a long time.