GriftHorse Money-Stealing Trojan Takes 10M Android Users for a Ride

The mobile malware has fleeced hundreds of millions of dollars from victims globally, using sophisticated techniques.

More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”

Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.

GriftHorse rode onto the scene in November of last year, and by now, “the total amount stolen could be well into the hundreds of millions of Euros,” according to Zimperium researchers, with each victim paying upwards of $40 per month.

Infosec Insiders Newsletter

Victims sprawl across 70 different countries, all packing sneaky extra charges that they may not be aware of. Google removed the flagged apps, but GriftHorse is far from corralled: There could be additional Play apps, installs could still be active on peoples’ phones, and the apps remain in many unofficial stores.

Distribution of GriftHorse Android malware victims. Source: Zimperium.

If users are unlucky enough to download one of the apps, they’ll find themselves “bombarded with alerts on the screen letting them know they had won a prize and need to claim it immediately,” according to Zimperium’s Wednesday analysis. “These pop ups reappear no less than five times per hour until the application user successfully accepts the offer.”

This is where it gets sneaky: Upon accepting the invitation for the prize, the malware serves victims selective pages, based on the geolocation of their IP addresses, using the local language and targeted verbiage. Those pages are also dynamically generated to avoid the blacklisting of strings by security solutions.

“These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains, and filtering/serving the malicious payload based on the originating IP address’s geolocation,” according to the researchers. “This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors.”

The redirect page asks targets to submit their phone numbers for “verification.” In reality, typing in the numbers merely subscribes them to a premium SMS service that charges $42 on average per month (€36), which will show up on their phone bills.

Looking GriftHorse in the Mouth

The creators of the apps have employed several novel techniques to help the apps stay off the radar of security vendors, the analysis found. In addition to the no-reuse policy for URLs mentioned above, the cybercriminals are also developing the apps using Apache Cordova.

Cordova allows developers to use standard web technologies – HTML5, CSS3 and JavaScript – for cross-platform mobile development – which in turn allows them to push out updates to apps without requiring user interaction.

“[This] technology can be abused to host the malicious code on the server and develop an application that executes this code in real-time,” according to Zimperium. “The application displays as a web page that references HTML, CSS, JavaScript and images.”

The campaign is also supported with a sophisticated architecture and plenty of encryption, which makes detection more difficult, according to the researchers.

For instance, when an app is launched, the encrypted files stored in the “assets/www” folder are decrypted using AES. After a bit more unpacking, the core functionality source code uses the GetData() function to establish communication between the application and a first-stage command-and-control (C2) server by encrypting an HTTP POST request.

The app then receives an encrypted response, which is decrypted using AES to collect a second-stage C2 URL. It also executes a GET request using Cordova’s “InAppBrowser” function to uncover a third-stage URL, and it starts pushing user notifications about the supposed “prize” once an hour, five times in a row, according to the analysis.

“The second-stage C2 domain is always the same irrespective of the application or the geolocation of the victim,” researchers explained. “The third-stage URL displays the final page asking for the victim’s phone number and subscribes to several paid services and premium subscriptions.”

JavaScript code embedded in the page is responsible for the malicious behavior of the application, researchers added: “The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application-level) code. This can include the collection of data about the device, including IMEI and IMSI among others.”

Android Fleeceware Continues to Plague Users

GriftHorse is not the only malware that looks to defraud victims via trojanized apps. The well-documented Joker malware, for example, has been circulating since 2017, disguising itself within hundreds of common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers.

Once installed, Joker silently simulates clicks and intercepts SMS messages to – you guessed it – subscribe victims to unwanted, paid premium services controlled by the attackers. The apps also steal SMS messages, contact lists and device information.

GriftHorse takes a slightly different approach than Joker, but Zimperium warned that it’s just as virulent.

Source: Zimperium.

“The threat actors have exerted substantial effort to maximize their presence in the Android ecosystem through a large number of applications, developer accounts and domains,” they said. “The GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021. The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions.”

Detected GriftHorse Apps

  1. 100% Projector for Mobile Phone
  2. 3D Camera To Plan
  3. Amazing Sticky Slime Simulator ASMR\u200f
  4. Amazing Video Editor
  5. AR Phone Booster – Battery Saver
  6. Bag X-Ray 100% Scanner
  7. Battery Live Wallpaper 4K
  8. Bus – Metrolis 2021
  9. Bus Driving Simulator
  10. Call Blocker-Spam Call Blocker
  11. Call Blocker-Spam Call Blocker
  12. Call Recoder Pro
  13. Call Record Pro
  14. Call Recorder iCall
  15. Caller ID & Spam Blocker
  16. CallerID
  17. Caller-x
  18. CallHelp: Second Phone Number
  19. Chat Translator All Messengers
  20. CIAO – Live Video Chat
  21. Cinema Hall: Free HD Movies
  22. Clap
  23. Clap To Find My Phone
  24. ClipBuddy
  25. Color Call Changer
  26. Coupons & Gifts: InstaShop
  27. CutCut Pro
  28. Daily Horoscope & Life Palmestry
  29. Dating App – Sweet Meet
  30. Easy Bass Booster
  31. Easy TV Show
  32. Ela-Salaty: Muslim Prayer Times & Qibla Direction
  33. English Arabic Translator direct
  34. Face Analyzer
  35. FastPulse – Heart Rate Monitor
  36. FindContact
  37. Fingerprint Changer
  38. Fingerprint Defender
  39. Fitness Point
  40. Fitness Trainer
  41. Forza H Mobile 4 Ultimate Edition
  42. Free Calls WorldWide
  43. Free Coupons 2021
  44. Free Islamic Stickers 2021
  45. Free Translator Photo
  46. FX Keyboard
  47. Geospot: GPS Location Tracker
  48. GetContacter
  49. GPS Phone Tracker – Family Locator
  50. Handy Translator Pro
  51. Heart Rate and Meal Tracker
  52. Heart Rate and Pulse Tracker
  53. Heart Rate Pro Health Monitor
  54. Heart Rhythm
  55. HOO Live – Meet and Chat
  56. Horoscope : Fortune
  57. Hunt Contact
  58. iCare – Find Location
  59. iConnected Tracker
  60. Icony
  61. Idle Gun Tycoo\u202an\u202c
  62. Instant Speech Translation
  63. Intelligent Translator Pro
  64. iSalam Qibla Compass
  65. iTranslator_ Text & Voice & Photo
  66. Keyboard Themes
  67. Keyboard: Virtual Projector App
  68. KFC Saudi – Get free delivery and 50% off coupons
  69. Language Translator-Easy&Fast
  70. Launcher iOS 15
  71. Launcher iOS for Android
  72. Lifeel – scan and test
  73. Live Mobile Number Tracker
  74. Live Wallpaper & Background
  75. Loca – Find Location
  76. Locatoria – Find Location
  77. Locker Tool
  78. Ludo Game Classic
  79. Ludo Speak v2.0
  80. Mine Easy Translator
  81. Mobile Things Finder
  82. My Chat Translator
  83. My Locator Plus
  84. OFFRoaders – Survive
  85. Parallax paper 3D
  86. Phone Caller Screen 2021
  87. Phone Finder by Clapping
  88. Phone Search by Clap
  89. PhoneControl Block Spam Calls
  90. Photo Effect Pro
  91. Photo Lab
  92. Piano Bot Easy Lessons
  93. PikCho Editor app
  94. Plant Camera Identifier
  95. Pony Video Chat-Live Stream
  96. Proof-Caller
  97. Prookie-Cartoon Photo Editor
  98. Pulse App – Heart Rate Monitor
  99. Qibla AR Pro
  100. Qibla Compass
  101. Qibla Compass (Kaaba Locator)
  102. Qibla correct Quran Coran Koran
  103. Qibla direction watch (compass)
  104. Qibla Finder – Qibla Direction
  105. Qibla Pass Direction
  106. Qibla Ultimate
  107. QR Code Reader – Barcode Scanner
  108. QR Reader Pro
  109. R Circle – Location Finder
  110. Racers Car Driver
  111. Safe Lock
  112. Scanner App Scan Docs & Notes
  113. Scanner Pro App: PDF Document
  114. Screen Mirroring TV Cast
  115. Second Translate PRO
  116. Skycoach
  117. Slime Simulator
  118. Smart Call Recorder
  119. Smart Spot Locator
  120. SnapLens – Photo Translator
  121. Soul Scanner – Check Your
  122. Squishy and Pop it
  123. Stickers Maker for WhatsApp
  124. Street Cars: pro Racing
  125. TagsContact
  126. Translate It – Online App
  127. Truck – RoudDrive Offroad
  128. TrueCaller & TrueRecoder
  129. Vector arts
  130. Video & Photo Recovery Manager 2
  131. VPN Zone – Fast & Easy Proxy
  132. What’s Me Sticker
  133. WiFi Unlock Password Pro X
  134. You Frame
  135. Zodiac : Hand
  136. Быстрые кредиты 24\7

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles