Using seemingly harmless Android applications that, without the customers’ knowledge, subscribe them to services that cost 36 euros per month, the new Trojan has infected the handsets of more than 10 million people from more than 70 countries.
The Trojan horse was given the name “GriftHorse” by Zimperium zLabs researchers. The propagation of this Trojan began in November 2020, and victims have been reported in countries such as Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the United Kingdom, and the United States, among other locations.
The campaign made use of at least 200 Trojan programmes that were downloaded through Google Play and unauthorised app stores, making it one of the most pervasive scams to be identified this year in terms of distribution. Considering the wide range of malicious applications available, which include anything from tools and entertainment to personalization and dating, it is not surprising that the attack reached such a large scale. 500,000 downloads were recorded for one of the apps, Handy Translator Pro.
Although traditional subscription scams often take advantage of phishing techniques, this scam hides behind malicious Android apps that work like Trojans, allowing it to take advantage of user interactions in order to propagate and infect more people, according to Zimperium researchers.
If you look at the store descriptions and required permissions, these fraudulent Android apps appear safe. However, this false sense of trust is quickly shattered when customers are charged a monthly subscription for the services they subscribe to without their knowledge or agreement.”
GriftHorse, like other banking Trojans, does not take advantage of faults in the Android operating system; instead, users are tricked into subscribing to SMS services after downloading malicious programmes.
Following the infection, the victims were inundated with false material, including claims that they had won a “prize” that they were required to claim immediately. These notifications will appear at least five times within an hour until the user succumbs to the pressure and accepts the reward call, at which point the process will repeat. Whenever consumers click on the notification, the Trojan takes them to web pages that are customised to the device’s IP address and language. This technique has proven to be successful, most likely as a result of the fact that consumers may more easily share their data when it is done in their native tongue. By doing so, they are actually submitting their phone number to the premium SMS service, for which they would be charged a monthly fee of 30 euros.
She does not know what she has done immediately, and it is highly likely that it will take months before she recognises what has happened and why her phone bills have soared.
In addition to managing to stay under the radar and evade detection by antivirus software, GriftHorse was able to generate millions of dollars in revenue every month, with analysts estimating that the total revenues of criminals surpassed several hundred million euros.
As a result of Zimperium’s notification to Google of its discovery, the applications were withdrawn from the Google Play Store. Keep in mind, though, that apps are still available through alternate app shops.
On the Zimperium website, you can see a list of the programmes that Google has removed from the Play Store in the past few months.