Dangerous malware targets over 10 million Android users: Details here
Last updated on
01 Oct 2021, 18:37
Numerous mobile apps, running like Trojans, have subscribed unsuspecting users to paid services since November 2020, researchers from mobile security company Zimperium have found.
Named GriftHorse by researchers Aazim Yaswant and Nipun Gupta, this malware campaign targeted more than 10 million Android users in more than 70 countries and stole “hundreds of millions of dollars”.
These malicious apps have been distributed using Google Play Store and third party app stores.
GriftHorse uses spam, misinformation and local language to deceive users
Victims, once their phones are infected, receive at least five spam alerts in an hour to claim bogus prizes.
After accepting the offer, they are redirected to a web page asking them to submit their phone numbers for verification. These web pages use local languages to build trust.
The numbers submitted are then linked to a premium SMS service, billed over € 30 per month.
Developers used the Apache Cordova framework to create malicious apps
Cyber criminals used the Apache Cordova mobile application development framework, which enables cross-platform mobile development, to create the Trojans.
Cordova allows developers to update applications automatically. In this case, the victims continued to lose money until they rectified the problem by contacting their SIM operators.
The developers avoided using hard-coded URLs or reusing domains to evade detection.
Trojans have been served based on user locations to maintain language specificity.
GriftHorse was not detected by antivirus software companies for months
According to Zimperium researchers, more than 200 Trojans were used in this malware campaign and they went completely unnoticed for several months on other antivirus vendors.
Recently, Zimperium reported its findings to Google, which then removed the malicious apps from the Google Play Store. However, third-party app stores can still host Trojans.
New threats leverage cross-platform development frameworks
Zimperium researchers also warned that “the technique of abusing cross-platform development frameworks to go undetected” was increasingly used. In addition, it is more difficult to detect such campaigns from antivirus vendors.