More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”
Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
GriftHorse rode onto the scene in November of last year, and by now, “the total amount stolen could be well into the hundreds of millions of Euros,” according to Zimperium researchers, with each victim paying upwards of $40 per month.
Victims sprawl across 70 different countries, all packing sneaky extra charges that they may not be aware of. Google removed the flagged apps, but GriftHorse is far from corralled: There could be additional Play apps, installs could still be active on peoples’ phones, and the apps remain in many unofficial stores.
Distribution of GriftHorse Android malware victims. Source: Zimperium.
If users are unlucky enough to download one of the apps, they’ll find themselves “bombarded with alerts on the screen letting them know they had won a prize and need to claim it immediately,” according to Zimperium’s Wednesday analysis. “These pop ups reappear no less than five times per hour until the application user successfully accepts the offer.”
This is where it gets sneaky: Upon accepting the invitation for the prize, the malware serves victims selective pages, based on the geolocation of their IP addresses, using the local language and targeted verbiage. Those pages are also dynamically generated to avoid the blacklisting of strings by security solutions.
“These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains, and filtering/serving the malicious payload based on the originating IP address’s geolocation,” according to the researchers. “This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors.”
The redirect page asks targets to submit their phone numbers for “verification.” In reality, typing in the numbers merely subscribes them to a premium SMS service that charges $42 on average per month (€36), which will show up on their phone bills.
Looking GriftHorse in the Mouth
The creators of the apps have employed several novel techniques to help the apps stay off the radar of security vendors, the analysis found. In addition to the no-reuse policy for URLs mentioned above, the cybercriminals are also developing the apps using Apache Cordova.
Cordova allows developers to use standard web technologies – HTML5, CSS3 and JavaScript – for cross-platform mobile development – which in turn allows them to push out updates to apps without requiring user interaction.
“[This] technology can be abused to host the malicious code on the server and develop an application that executes this code in real-time,” according to Zimperium. “The application displays as a web page that references HTML, CSS, JavaScript and images.”
The campaign is also supported with a sophisticated architecture and plenty of encryption, which makes detection more difficult, according to the researchers.
For instance, when an app is launched, the encrypted files stored in the “assets/www” folder are decrypted using AES. After a bit more unpacking, the core functionality source code uses the GetData() function to establish communication between the application and a first-stage command-and-control (C2) server by encrypting an HTTP POST request.
The app then receives an encrypted response, which is decrypted using AES to collect a second-stage C2 URL. It also executes a GET request using Cordova’s “InAppBrowser” function to uncover a third-stage URL, and it starts pushing user notifications about the supposed “prize” once an hour, five times in a row, according to the analysis.
“The second-stage C2 domain is always the same irrespective of the application or the geolocation of the victim,” researchers explained. “The third-stage URL displays the final page asking for the victim’s phone number and subscribes to several paid services and premium subscriptions.”
JavaScript code embedded in the page is responsible for the malicious behavior of the application, researchers added: “The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application-level) code. This can include the collection of data about the device, including IMEI and IMSI among others.”
Android Fleeceware Continues to Plague Users
GriftHorse is not the only malware that looks to defraud victims via trojanized apps. The well-documented Joker malware, for example, has been circulating since 2017, disguising itself within hundreds of common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers.
Once installed, Joker silently simulates clicks and intercepts SMS messages to – you guessed it – subscribe victims to unwanted, paid premium services controlled by the attackers. The apps also steal SMS messages, contact lists and device information.
GriftHorse takes a slightly different approach than Joker, but Zimperium warned that it’s just as virulent.
Source: Zimperium.
“The threat actors have exerted substantial effort to maximize their presence in the Android ecosystem through a large number of applications, developer accounts and domains,” they said. “The GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021. The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions.”
Detected GriftHorse Apps
- 100% Projector for Mobile Phone
- 3D Camera To Plan
- Amazing Sticky Slime Simulator ASMR\u200f
- Amazing Video Editor
- AR Phone Booster – Battery Saver
- Bag X-Ray 100% Scanner
- Battery Live Wallpaper 4K
- Bus – Metrolis 2021
- Bus Driving Simulator
- Call Blocker-Spam Call Blocker
- Call Blocker-Spam Call Blocker
- Call Recoder Pro
- Call Record Pro
- Call Recorder iCall
- Caller ID & Spam Blocker
- CallerID
- Caller-x
- CallHelp: Second Phone Number
- Chat Translator All Messengers
- CIAO – Live Video Chat
- Cinema Hall: Free HD Movies
- Clap
- Clap To Find My Phone
- ClipBuddy
- Color Call Changer
- Coupons & Gifts: InstaShop
- CutCut Pro
- Daily Horoscope & Life Palmestry
- Dating App – Sweet Meet
- Easy Bass Booster
- Easy TV Show
- Ela-Salaty: Muslim Prayer Times & Qibla Direction
- English Arabic Translator direct
- Face Analyzer
- FastPulse – Heart Rate Monitor
- FindContact
- Fingerprint Changer
- Fingerprint Defender
- Fitness Point
- Fitness Trainer
- Forza H Mobile 4 Ultimate Edition
- Free Calls WorldWide
- Free Coupons 2021
- Free Islamic Stickers 2021
- Free Translator Photo
- FX Keyboard
- Geospot: GPS Location Tracker
- GetContacter
- GPS Phone Tracker – Family Locator
- Handy Translator Pro
- Heart Rate and Meal Tracker
- Heart Rate and Pulse Tracker
- Heart Rate Pro Health Monitor
- Heart Rhythm
- HOO Live – Meet and Chat
- Horoscope : Fortune
- Hunt Contact
- iCare – Find Location
- iConnected Tracker
- Icony
- Idle Gun Tycoo\u202an\u202c
- Instant Speech Translation
- Intelligent Translator Pro
- iSalam Qibla Compass
- iTranslator_ Text & Voice & Photo
- Keyboard Themes
- Keyboard: Virtual Projector App
- KFC Saudi – Get free delivery and 50% off coupons
- Language Translator-Easy&Fast
- Launcher iOS 15
- Launcher iOS for Android
- Lifeel – scan and test
- Live Mobile Number Tracker
- Live Wallpaper & Background
- Loca – Find Location
- Locatoria – Find Location
- Locker Tool
- Ludo Game Classic
- Ludo Speak v2.0
- Mine Easy Translator
- Mobile Things Finder
- My Chat Translator
- My Locator Plus
- OFFRoaders – Survive
- Parallax paper 3D
- Phone Caller Screen 2021
- Phone Finder by Clapping
- Phone Search by Clap
- PhoneControl Block Spam Calls
- Photo Effect Pro
- Photo Lab
- Piano Bot Easy Lessons
- PikCho Editor app
- Plant Camera Identifier
- Pony Video Chat-Live Stream
- Proof-Caller
- Prookie-Cartoon Photo Editor
- Pulse App – Heart Rate Monitor
- Qibla AR Pro
- Qibla Compass
- Qibla Compass (Kaaba Locator)
- Qibla correct Quran Coran Koran
- Qibla direction watch (compass)
- Qibla Finder – Qibla Direction
- Qibla Pass Direction
- Qibla Ultimate
- QR Code Reader – Barcode Scanner
- QR Reader Pro
- R Circle – Location Finder
- Racers Car Driver
- Safe Lock
- Scanner App Scan Docs & Notes
- Scanner Pro App: PDF Document
- Screen Mirroring TV Cast
- Second Translate PRO
- Skycoach
- Slime Simulator
- Smart Call Recorder
- Smart Spot Locator
- SnapLens – Photo Translator
- Soul Scanner – Check Your
- Squishy and Pop it
- Stickers Maker for WhatsApp
- Street Cars: pro Racing
- TagsContact
- Translate It – Online App
- Truck – RoudDrive Offroad
- TrueCaller & TrueRecoder
- Vector arts
- Video & Photo Recovery Manager 2
- VPN Zone – Fast & Easy Proxy
- What’s Me Sticker
- WiFi Unlock Password Pro X
- You Frame
- Zodiac : Hand
- Быстрые кредиты 24\7
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
