GriftHorse Android malware found in 200 scam apps affects 10 million devices, steals hundreds of millions
Over 10 million Android devices are infected with Android malware distributed through Google Play and third-party app stores.
Mobile security company Zimperium says the campaign is targeting device users in 70 countries through seemingly harmless scam apps that subscribe victims to premium SMS services.
The Trojan named GriftHorse is present in around 200 malicious Android apps, most of which have been removed from the Google Play Store.
GriftHorse Android malware seems harmless and undetectable
Zimperium says Android apps appear harmless at first glance based on their store description and requested permissions, giving users a false sense of trust. Threat actors have also released the scam Android apps in various categories to expand the network.
In addition, they avoid hard-coding the URLs of their command and control servers and reuse domains to avoid the channel block list. They also serve payloads based on the origin of the users’ IP address.
“This method allowed attackers to target different countries in different ways,” the researchers wrote. “This server-side verification escapes the dynamic analysis verification of communication and network behavior.”
Operation of Android malware makes it undetectable by scanning code from Google Play store or mobile antivirus. These evasion tactics have kept the Android malware campaign operational since November 2020.
Paul Bischoff, privacy advocate at Comparitech, said the most concerning issue was that Google had allowed 200 fraudulent Android malware apps on its platform. According to Bischoff, users were at greater risk by implicitly trusting Google Play, which comes preinstalled on most devices.
“Play Protect, the virus scanner used to check Android apps for malicious behavior, fails to report a lot of malware on Google Play,” Bischoff noted. “According to AV-Test, Play Protect only detected 52.3% of real-time malware attacks and 55.1% of malware samples.
“The average for these two categories among all the audiovisual programs tested was 96.9% and 97.3% respectively. It is not an effective antivirus. Humans probably don’t review apps before they’re released either.
The researchers also found that the threat actors developed the Android malware using the Apache Cordova mobile application development framework.
Infected Android apps include iCare – Find Location, My Chat Translator, Handy Translator Pro, Geospot: GPS Location Tracker, Heart Rate and Pulse Tracker, and others. Researchers have published the full list of fraudulent apps with their full indicators of compromise.
Android scam apps steal from hundreds of millions of victims
According to Zimperium, scam apps trick users into clicking malicious links to steal money from their accounts.
They offer users pages based on their geolocation, IP address and language to gain their trust.
Once installed, the scam apps aggressively send various pop-ups and notifications promising various freebies and offers. Victims can receive up to five notifications per hour, increasing their likelihood of taking action.
By clicking, malicious apps redirect users to online sites that ask them to submit their phone numbers for verification in order to claim the prize. However, the threat actors secretly subscribe victims to premium SMS services who start billing their phone bills without their knowledge.
Most victims do not immediately detect the effects of theft, which makes scams more likely to last for months. However, suspicion grows when users are billed month after month for services they have never authorized, resulting in spending of up to around $ 42 or € 36 each month.
Zimperium security researchers have discovered that fraudulent Android malware apps have stolen hundreds of millions of dollars in one of the “most ubiquitous” campaigns.
“It’s unfortunate that it has gotten to the point where you can no longer fully trust the apps in official owner stores,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “These store salespeople really need more control over the behavior of the apps they distribute.
“In some cases, ignorant users may be to blame, such as when trying to download pirated copies of apps from third-party stores, but most users are not and shouldn’t be able to spot malicious apps or app activity. from an official source.