Zimperium zLabs recently discovered a global scam where the threat actors posing as Trojans have hidden behind malicious Android applications and stolen millions of Euros from the infected devices.
The decoy makes the malicious Android applications look harmless when viewing the Play Store description or request permissions. They operate stealthily acting as Trojans and take advantage of the user interactions for further spread.
The Trojan named “GriftHorse” has been running the scam services campaign since November 2020. It uses the infected device to subscribe to unscrupulous services at a recurrent cost and has ensured illicit cash flow of millions of Euros towards the scam.
According to Zimperium zLabs, the new malware has been embedded in hundreds of applications, which have evaded detection by app repositories. These malicious applications are widely distributed through Google Play Store and other third-party app stores. Users are charged on a monthly basis for services subscribed to, without their knowledge and approval. These Android apps vary from puzzles, gaming, food, and entertainment. The report pointed out a popular translator malicious app was downloaded no less than 500,000 times.
Google Play Store removed the malicious applications from their store on receiving the findings from the Zimperium zLabs, however unsecured third-party app repositories are still rife with these Trojans.
The Campaign
The “GriftHorse” campaign has targeted millions of users across 70 countries. The victims are targeted through apps and malicious pages in their local language, based on their geo-location and IP address thereby circumventing suspicion. The malware goes undetected for months as they avoid using hardcoding URLs or same domains, allowing them to target different countries and subscribers.
“Like other banking trojans, GriftHorse does not exploit flaws in the Android operating system, but rather socially engineers users into subscribing their phone numbers to premium SMS services upon downloading the apps.” https://t.co/o8nK7KNB7X
— David Derigiotis (@DavidDerigiotis) September 29, 2021
These Trojans have been developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development. The technology was abused to host the infected code on the server and develop an application that executes it in real-time.
The zLabs threat research team has reported the “GriftHorse” campaign as the most effective, widespread cyberattack of 2021 where more than 200 Trojan apps were effectively used to pocket millions of Euros across geographies from over 10 million victims’ devices.
Purplesec’s cybersecurity statistics for 2021 reports that mobile malware is on the rise with a high number of new variants infecting devices, up by 54% in 2018. Nearly 99% of the discovered mobile actors were hosted by third-party app stores. Trojans make up 51.45% of all malware. More than 250,000 unique users were attacked by Trojan Banker.AndroidOS.Asacub malware application. And 98% of all mobile malware target Android devices.
