A large-scale malware campaign has infected more than 10 million Android devices from over 70 countries and likely stole hundreds of millions of dollars from its victims by tricking them into subscribing to paid services without their knowledge.
GriftHorse, the trojan used in these attacks, was discovered by Zimperium zLabs researchers who first spotted this illicit global premium services campaign.
The malware was delivered using over 200 trojanized Android applications delivered through Google’s official Play Store and third-party app stores.
While Google has removed the apps after being notified of their malicious nature, they are still available for download on third-party repositories.
According to the researchers’ estimates, the cybercriminals could steal millions in recurring payments every month from victims around the world.
Heatmap victims across over 70 countries (Zimperium)
They used the GriftHorse malware to infect their victims and subscribed them to premium services, lining their pockets with hundreds of millions.
The 200 trojanized applications were undetected by the vast majority of anti-malware vendors and managed to evade detection for months while the GriftHorse campaign was active.
Once installed on a victim’s phone, these malicious apps gained access to the mobile phone number and used it to present their victims with prize and gift alerts that trick the unsuspecting victims to subscribe to premium SMS services.
Victims who didn’t notice right away (likely those who set up recurring payments through their bank accounts) paid these charges for months, with few options to get their money back.
Here is a complete list of all trojanized apps used in the GriftHorse campaign
the list is at the end of Zimperium’s report.
Thanks again and stay safe!