The latest Android trojan dubbed GriftHorse was spread via the Google Play store and several third-party app shops, infecting over 10 million smartphones worldwide.
It has fleeced hundreds of millions of dollars from victims globally, applying advanced techniques.
GriftHorse malware has infected over 10 million Android users, trojanizing various apps and silently subscribing the affected to premium mobile services — a sort of billing fraud known as “fleeceware”, according to researchers.
Â
Across all categories, Zimperium discovered more than 130 GriftHorse apps published through Google Play and third-party app stores. According to the researchers, some of them have minimal functionality while others do nothing.
In any instance, once installed, charging victims for premium services — but phone owners are frequently unaware of this until they check their phone bills.
GriftHorse first appeared in November of last year, and according to Zimperium analysts, “the total amount stolen might be well into the hundreds of millions of Euros,” with each victim paying upwards of $40 per month.
Victims scattered over 70 different countries, all packing sneaky extra charges. Google removed the flagged apps, but GriftHorse is far from corralled: Additional Android Play apps, installs could still be active on peoples’ phones, and the apps remain in many unofficial stores.
Lurking Extra Charges
According to Zimperium’s Wednesday study, if users are unlucky enough to download one of the Android apps, they would be “bombarded with messages on the screen letting them know they had won a reward and needed to collect it immediately.”
“These pop-ups occur at least five times every hour until the application user accepts the offer successfully.” After accepting the prize offer, the malware serves users specific websites based on their IP addresses’ geography, utilising local language and customised wording.
Those pages are also dynamically produced to circumvent security solutions blocklisting strings.
According to the researchers, the hackers avoided being identified by malware researchers by avoiding hardcoding URLs or repeating the exact domains and filtering/serving the harmful payload based on the originating IP address’s geolocation.
“Through this strategy, the attackers were able to target many countries in various ways. This server-side check circumvents dynamic analysis for network interactions and behaviours.”
The redirect page asks scapegoats to submit their phone numbers for “verification.” In truth, punching in the numbers only enrols them in a premium SMS service, which costs $42 per month on average, and will appear on their phone bills.
In the Mouth of a GriftHorse
According to the investigation, the app’s designers used several unique tactics to keep the apps off the radar of security firms. In addition to the above-mentioned no-reuse regulation for URLs, fraudsters also employ Apache Cordova to create the apps.
Cordova enables cross-platform mobile development using standard web technologies such as HTML5, CSS3, and JavaScript, allowing developers to push out updates to apps without requiring user involvement.
According to Zimperium, “[this] technology can be misused to host malicious code on the server and construct an application that runs this code in real-time.” “The application appears as a web page with HTML, CSS, JavaScript, and picture references.”
According to the experts, the effort is also supported by a sophisticated architecture and loads of encryption, making identification more difficult. For example, the encrypted files in the “assets/www” folder are decrypted using AES when opening an app.
After a little more unpacking, the basic functionality source code uses the GetData() function to encrypt an HTTP POST request to establish contact between the application and a first-stage command-and-control (C2) server.
The app then receives an encrypted answer, which it decrypts with AES to obtain a C2 URL for the second stage.
The investigation also does a GET request using Cordova’s “InAppBrowser” function to expose a third-stage URL. It begins sending user notifications about the alleged “prize” once an hour, five times in a row.
“Regardless of the application or the victim’s geolocation, the second-stage C2 domain is always the same,” researchers noted.
The third-stage URL leads to a final website that requests the victim’s phone number and subscribes the victim to a range of paid services and premium subscriptions.
According to the researchers: “The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application-level) code.
This can entail gathering information about the device, such as the IMEI and IMSI, among other things.”
The Malware Continues to Plague Users
GriftHorse is not the first malware that uses trojanized programmes to defraud victims. For example, the well-known Joker virus has been circulating since 2017, hiding in hundreds of specific, legitimate programmes such as camera apps, games, messengers, photo editors, translators, and wallpapers.
Once installed, Joker stealthily simulates clicks and intercepts SMS messages to – you guessed it – force users to pay for unwelcome premium services controlled by the attackers.
The apps also steal SMS messages, contact lists, and device information.
GriftHorse takes a different strategy than Joker, but Zimperium warns that it is just as dangerous.
Through a vast number of applications, developer accounts, and domains, the threat actors have made a significant effort to maximise their visibility in the Android ecosystem “they stated, “The GriftHorse campaign is one of the most pervasive in 2021, according to the zLabs threat analysis team.
The cybercriminal group behind the GriftHorse campaign has established a steady cash flow of illicit monies from these victims, producing millions in recurring revenue each month and a total value of hundreds of millions of dollars stolen.
